SIMATIC S7 MODBUS Slave Driver Manual

Preface
SIMATIC S7-300/S7-400 Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
SIMATIC
S7-300/S7-400
Loadable Driver for Point-to-Point
CPs: MODBUS Protocol, RTU
format, S7 is Slave
Operating Instructions
1
______________
2
Product Description
______________
3
Installation
______________
4
Mode of Operation
______________
5
Commissioning the Driver
______________
Commissioning the
Communications FB
6
______________
7
CPU-CP interface
______________
8
Transmission Protocol
______________
9
Function Codes
______________
10
Diagnostics of the Driver
______________
Diagnostics of the
Communications FB
11
______________
A
Technical Data
______________
B
Wiring Diagrams Multipoint
______________
C
References
______________
09/2009
A5E00218418-06
Legal information
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.
WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.
CAUTION
with a safety alert symbol, indicates that minor personal injury can result if proper precautions are not taken.
CAUTION
without a safety alert symbol, indicates that property damage can result if proper precautions are not taken.
NOTICE
indicates that an unintended result or situation can occur if the corresponding information is not taken into
account.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation for the specific task, in particular its warning notices and
safety instructions. Qualified personnel are those who, based on their training and experience, are capable of
identifying risks and avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:
WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be adhered to. The information in the relevant documentation must be observed.
Trademarks
All names identified by ® are registered trademarks of the Siemens AG. The remaining trademarks in this
publication may be trademarks whose use by third parties for their own purposes could violate the rights of the
owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Siemens AG
Industry Sector
Postfach 48 48
90026 NÜRNBERG
GERMANY
A5E00218418-06
Ⓟ 09/2009
Copyright © Siemens AG 2009.
Technical data subject to change
Table of contents
1
Preface ...................................................................................................................................................... 7
2
Product Description ................................................................................................................................. 11
3
4
5
2.1
Application Options ......................................................................................................................11
2.2
Hardware and Software Requirements........................................................................................13
2.3
Summary of the GOULD-MODBUS Protocol ..............................................................................14
Installation ............................................................................................................................................... 17
3.1
Use of the Dongle ........................................................................................................................17
3.2
Interface Connection....................................................................................................................18
Mode of Operation ................................................................................................................................... 19
4.1
Components of the SIMATIC / MODBUS Slave Data Link..........................................................19
4.2
Task Distribution ..........................................................................................................................21
4.3
Used MODBUS Function Codes..................................................................................................21
4.4
Data Areas in the SIMATIC CPU .................................................................................................22
4.5
Access with Bit-Orientated Function Codes ................................................................................23
4.6
Access with Register-Orientated Function Codes .......................................................................24
4.7
Enable/disable Write Access .......................................................................................................26
Commissioning the Driver........................................................................................................................ 27
5.1
Installing the Driver on the STEP 7 Programming Device/PC.....................................................27
5.2
Uninstalling the Driver..................................................................................................................28
5.3
5.3.1
5.3.2
Configuring the Data Link ............................................................................................................28
Configuring a Data Link with the CP 341.....................................................................................28
Configuring a Data Link with the CP 441-2..................................................................................29
5.4
5.4.1
5.4.2
5.4.3
Assigning Parameters to the CP..................................................................................................31
Assigning Parameters to the CP..................................................................................................31
Assigning Parameters to the CP 341...........................................................................................31
Assigning Parameters to the CP 441-2 .......................................................................................32
5.5
Configuration of the Data Link .....................................................................................................34
5.6
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
Assigning parameters to the loadable driver ...............................................................................35
MODBUS Slave Protocol .............................................................................................................35
Conversion of MODBUS Addresses for Bit Functions.................................................................38
Conversion of MODBUS Addresses for Register Functions .......................................................42
Limits for Write Functions ............................................................................................................44
RS422/485 (X27) Interface ..........................................................................................................46
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
3
Table of contents
6
7
5.7
Loading the Configuration and Parameter Assignment Data for the CP 341 ............................. 48
5.8
Loading drivers to the CP 341 .................................................................................................... 49
5.9
Loading the Configuration and Parameter Assignment data for the CP 441-2 .......................... 50
5.10
Startup Characteristics of the CP................................................................................................ 50
5.11
Parameter Assignment for "Startup of the CPU" ........................................................................ 51
Commissioning the Communications FB ................................................................................................. 53
6.1
Installing the FB .......................................................................................................................... 53
6.2
STEP 7 project ............................................................................................................................ 54
6.3
FB 80 Parameters (CP 341)........................................................................................................ 56
6.4
FB 180 Parameters (CP 441-2) .................................................................................................. 57
6.5
Program Call ............................................................................................................................... 58
6.6
Cyclic Operation.......................................................................................................................... 61
CPU-CP interface .................................................................................................................................... 63
7.1
7.1.1
7.1.2
7.1.3
CPU-CP interface for CP 341 ..................................................................................................... 63
General Information .................................................................................................................... 63
Data Transfer Length CPU <-> CP ............................................................................................. 63
Data Consistency ........................................................................................................................ 64
7.2
7.2.1
7.2.2
7.2.3
CPU-CP Interface for CP 441-2.................................................................................................. 65
General Information .................................................................................................................... 65
Data Transfer Length CPU <-> CP ............................................................................................. 65
Data Consistency ........................................................................................................................ 66
8
Transmission Protocol ............................................................................................................................. 67
9
Function Codes........................................................................................................................................ 73
4
9.2
Function Code 01 – Read Coil (Output) Status........................................................................... 75
9.3
Function code 02 - Read Input Status ........................................................................................ 79
9.4
Function Code 03 - Read Output Registers................................................................................ 82
9.5
Function code 04 - Read Input Registers ................................................................................... 85
9.6
Function Code 05 - Force Single Coil ......................................................................................... 89
9.7
Function code 06 - Preset Single Register ................................................................................. 92
9.8
Function code 08 - Loop back Diagnostic Test........................................................................... 95
9.9
Function code 15 - Force Multiple Coils...................................................................................... 97
9.10
Function code 16 - Preset Multiple Registers ........................................................................... 100
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Table of contents
10
11
Diagnostics of the Driver........................................................................................................................ 103
10.1
10.1.1
10.1.2
Diagnostic Facilities on the CP 341 ...........................................................................................104
Diagnostics via Display Elements of the CP 341.......................................................................104
Diagnostic Messages of the Function Blocks of the CP 341 .....................................................105
10.2
10.2.1
10.2.2
10.2.3
10.2.4
Diagnostic Facilities on the CP 441-2........................................................................................106
Diagnostics via Display Elements of the CP 441-2....................................................................106
Diagnostic Messages of the System Function Blocks of the CP 441-2.....................................107
Reading Error Message Area SYSTAT for CP 441-2................................................................108
Diagnostics via Error Message Area SYSTAT of the CP 441-2 ................................................108
10.3
10.3.1
10.3.2
10.3.3
Table of Errors/Events ...............................................................................................................110
Error Codes in SYSTAT for "CPU Job Errors"...........................................................................110
Error Codes in SYSTAT for "Receive Errors" ............................................................................111
Error Codes in SYSTAT for “General Processing Errors” .........................................................112
Diagnostics of the Communications FB ................................................................................................. 117
11.1
11.1.1
11.1.2
11.1.3
A
Diagnostics via Parameters ERROR_NR, ERROR_INFO ........................................................118
Errors during “Initialization” ........................................................................................................118
Errors during “Processing of Function Codes”...........................................................................119
“Other” Errors .............................................................................................................................120
Technical Data....................................................................................................................................... 121
A.1
Technical Data ...........................................................................................................................121
B
Wiring Diagrams Multipoint .................................................................................................................... 127
C
References ............................................................................................................................................ 129
C.1
References.................................................................................................................................129
Glossary ................................................................................................................................................ 131
Index...................................................................................................................................................... 139
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
5
Table of contents
6
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
1
Preface
Purpose of the Manual
The information in this manual will enable you to set up and commission a data link between
a CP in the form of a “Modbus capable” slave and a MODBUS Master control system.
Required Basic Knowledge
This manual requires general knowledge of automation engineering.
In addition, you should know how to use computers or devices with similar functions (e.g
programming devices) under the Microsoft® Windows ®operating systems and have a
knowledge of STEP 7 programming.
Scope of this Manual
This manual applies to the following software:
Product
Order Number
From
version
Loadable Driver for Point-to-Point CPs
6ES7870-1AB01-0YA0
3.0
Note
This manual contains the description of the driver and the function block as is valid at the
time of publication.
Guide
This manual describes the function of the loadable driver and its integration into the
hardware and software of the CP 341 and CP 441-2 communications processors.
The manual covers the following topics:
● Product Description/Installation
● Mode of Operation of the Data Link
● Commissioning the Driver / Installation / Parameter Assignment
● Commissioning the Function Block / Parameter Assignment / STEP 7 Application
Example
● CPU-CP Interface
● Transmission Protocol / Function Codes
● Diagnostics of the Driver
● Diagnostics of the Function Block
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
7
Preface
Conventions
This manual uses the generic term CP, or CP 341 and CP 441-2.
Special Notes
The driver described in this manual serves as a loadable protocol for the CP, which may be
used instead of the 3964R, RK512, ASCII, and printer standard protocols.
Note
Communication sequences between the CP and CPU can be modified or expanded in the
case of this driver.
In particular, the existing event classes and event numbers for diagnostics can be modified
and expanded.
Also note that this manual only describes the modifications and expansions compared to the
standard functions. You will find all basic information in the manual for the CP you are using.
In order to ensure safe use of this driver, you should have detailed knowledge of the way in
which the CP functions.
Technical Support
You can contact Technical Support for all Industry Automation products using the Web form
to request support under
http://www.siemens.com/automation/support-request
Additional information about our technical support is available in the Internet at
http://www.siemens.com/automation/service.
Service & Support on the Internet
In addition to our documentation, we offer our know-how online at:
http://www.siemens.com/automation/service&support
There you can find:
● The newsletter, which constantly provides you with up-to-date information on your
products.
● The right documents for you using the product support search feature.
● A forum where users and experts from all over the world exchange ideas.
● Your local partner of Industry onsite.
● Information about repairs, spare parts, and consulting
8
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Preface
Further Support
If you have any further questions about the use of products described in this manual, and do
not find the right answers there, contact your local Siemens representative.
You will find information on who to contact at:
http://www.siemens.com/automation/partner
You will find a guide to the technical documentation we offer for individual SIMATIC products
and systems at:
http://www.siemens.com/simatic-tech-doku-portal
The online catalog and ordering system are available at:
http://mall.automation.siemens.com
Training Center
We offer a range of courses to help you to get started with the SIMATIC S7 automation
system. Please contact your regional training center or our main training center in
Nuremberg, Germany, for details:
http://www.sitrain.com
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
9
Preface
10
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Product Description
2.1
2
Application Options
Position in the System Environment
The driver described here is a software product for the communications processors CP 341
(S7-300) and CP 441-2 (S7-400).
CP 341 and CP 441-2 can be used in S7 automation systems and can establish serial
communication links to partner systems.
Function of the Driver
This driver, together with the appropriate function block, enables you to establish a
communications link between a MODBUS Master control system (for example, Modicon
controllers or Honeywell TDC 3000) and the CP 341 or CP 441-2 communications module in
the form of a “Modbus capable” slave system.
The transmission protocol used is the GOULD - MODBUS Protocol in RTU format. Data
transmission is carried out in accordance with the Master-Slave principle.
The master has the initiative during the transmission, the CP/ the S7-CPU operates as the
slave.
Function codes 01, 02, 03, 04, 05, 06, 08, 15 and 16 can be used for communication
between the CP and the master system.
Interpretation of the MODBUS Addresses
The MODBUS address in the request message frame from the master is interpreted by the
driver in an “S7-like” manner.
This means that it is possible to:
● read and write to memory bits, outputs, data blocks,
● read memory bits, inputs, timers, counters in the S7-CPU.
The interpretation of the MODBUS address is explained in the following chapters.
Usable Interfaces and Protocols
The two serial interfaces of the CP 441-2 can be operated independently of each other using
different standard protocols or loadable driver protocols.
Available interface physics for the CPs are RS 232, TTY, or RS 422/485 (X27).
When using the RS422/485 (X27) interface in 2-wire operation, it is possible to connect up to
32 slaves to one master, thus creating a multipoint connection (network).
Creation of a multipoint connection with other types of physical interface requires additional
external hardware (for example, Honeywell DHP).
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
11
Product Description
2.1 Application Options
Possible System Configuration
The following figure shows a schematic illustration of a possible system configuration.
69
&38
&3b
,QWHUIDFHPRGXOHV
56&77<;
6
Data consistency
The data exchange between the S7 CPU and the CP is carried out block-by-block by
integrated system functions.
For more information see the sections "Data Consistency (Page 64)" and "Data Consistency
(Page 66)" in this manual.
12
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Product Description
2.2 Hardware and Software Requirements
2.2
Hardware and Software Requirements
Useable Module
The driver runs on CP 341 and CP 441-2 with part number MLFB 6ES7441-2AA02-0AE0 or
higher.
CP 441-1 with part number MLFB 6ES7441-1AA0x-0AE0 and CP 441-2 with part number
MLFB 6ES7441-2AA00-0AE0 or 6ES7441-2AA01-0AE0 cannot be used with loadable
drivers.
Dongle
In order to use the CP with loadable drivers, you require a dongle. The dongle is supplied
with the driver.
Load Memory of the CPU (Memory Card)
When the CP 441-2 is used, the loadable drivers are loaded to the load memory of the CPU
based on their parameter assignment and transferred to the CP memory on startup of the
CPU.
Therefore, the CPU must have sufficient load memory. A RAM or FLASH memory card (part
number MLFB 6ES7952-…) is required for this purpose.
Approximately 25 KB of CPU load memory is required for each CP interface for which this
loadable driver was assigned.
When the CP 341 is used, the loadable drivers are loaded directly to the CP 341. Load
memory on the S7-300 CPU is therefore not necessary. Note, however, that you will not be
able to replace a module without a programming device.
Software Requirements
An installed version of STEP 7 Basis V5.3 or higher.
An installed version of the optional package Assigning Parameters to Point-To-Point
Connections CP PtP Param V5.1 or higher.
Data Structures
Prior to configuration of your S7 data structures, you should ensure that they are compatible
with the user program of the MODBUS Master systems. Clarify which function codes and
which MODBUS addresses will be used.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
13
Product Description
2.3 Summary of the GOULD-MODBUS Protocol
2.3
Summary of the GOULD-MODBUS Protocol
Function Codes
The type of data exchange between the MODBUS systems is controlled by Function Codes
(FCs).
Data Exchange
The following FCs can be used to carry out data exchange bit-by-bit:
● FC 01 Read coil (output) status,
● FC 02 Read input status,
● FC 05 Force single coil,
● FC 15 Force multiple coils.
The following FCs can be used to carry out data exchange register-by-register:
● FC 03 Read holding registers,
● FC 04 Read input registers,
● FC 06 Preset single register,
● FC 16 Preset multiple registers.
Data Areas
As a rule, the individual FCs operate in accordance with the table below:
14
Function code
Data
Type of data
Type of access
01, 05, 15
Coil (output) status
Bit
Output
Read / Write
02
Input status
Bit
Input
Read only
03, 06, 16
Holding register
Register
(16 bit)
Output register Read / Write
04
Input register
Register
(16 bit)
Input register
Read only
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Product Description
2.3 Summary of the GOULD-MODBUS Protocol
Address Representation
Analogous to the partitioning into read/write and read-only areas, data at user level can be
represented as shown in the table below:
Function code
Type of data
Address representation at user level (decimal)
01, 05, 15
Output bit
0xxxx
02
Input bit
1xxxx
04
Input register
3xxxx
03, 06, 16
Holding register
4xxxx
In the transmission message frame on the serial transmission line, the addresses used in the
MODBUS user system are referenced to 0.
In the MODBUS user system itself, these addresses are counted beginning with 1!
Example
● The first holding register in the user system is represented as register 40001. In the
transmission message frame the value 0000 Hex is transmitted as the register address
when FC 03, 06, or 16 is used.
● The 127th coil is represented as coil 00127 in the user system and is assigned the coil
address 007E Hex in the transmission message frame.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
15
Product Description
2.3 Summary of the GOULD-MODBUS Protocol
16
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Installation
3.1
3
Use of the Dongle
Introduction
In order to use the CP with loadable drivers, you require a dongle. When the dongle is
plugged in, drivers can be loaded. For the CP 441-2, you can download drivers for both
interfaces.
Inserting the Dongle
To insert the dongle, you must remove the CP from the rack. The module slot where you
insert the dongle is located on the back of the CP above the plug-in connector for the
backplane bus.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
17
Installation
3.2 Interface Connection
3.2
Interface Connection
RS 232C / TTY
It is possible to create a point-to-point connection to a master system.
Further information on the interface connection can be found in the manual “CP: Point-toPoint Communication.”
X27/RS485 (2-wire)
It is possible to create a multipoint connection (network) connecting up to 32 slaves to one
master system.
The driver of the CP switches the receive 2-wire line between send and receive.
02'%86PDVWHU
V\VWHP
02'%866ODYH
6,0$7,&6&3
75 $
5 $
75 %
5 %
*1'
*1'
(QFORVXUHVKLHOG
Figure 3-1
(QFORVXUHVKLHOG
Schematic connection: 1 master system, 1 slave system at the bus
Further information on the interface connection can be found in the manual “CP: Point-toPoint Communication”.
X27/RS422 (4-wire)
It is possible to create a point-to-point connection to a master system.
Direct creation of a multipoint connection (network) is not possible, because it is not
supported by the RS422/RS485 (X27) interface hardware.
Additional information on the interface connection is available in the section "Wiring
Diagrams Multipoint (Page 127)" and in the manual “CP: Point-to-Point Communication”.
18
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Mode of Operation
4
General Information
The supplied data link converts data access of the MODBUS protocol to the specific memory
areas of the SIMATIC S7 CPU.
4.1
Components of the SIMATIC / MODBUS Slave Data Link
MODBUS Slave Data Link
The MODBUS slave data link for the CP consists of two parts:
● Loadable driver for the CP
● MODBUS Communications Function Block for the SIMATIC S7 CPU
MODBUS Slave Communications FB
In addition to the loadable MODBUS slave driver, the SIMATIC MODBUS slave data link
requires a special communications FB in the S7 CPU.
The required communication FB will be made available after installation of the MODBUS
slave CD in the STEP 7 library Modbus. The library contains the following blocks:
● MODBUS communication function block FB 180 for applications in a S7-400 CPU
● MODBUS communication function block FB 80 for applications in a S7-300 CPU
Because the FB 80 calls the function blocks FB 7 and FB 8, you have to load FB 7 and FB 8
in the controller.
The call of the FBs is shown in the example OBs in the STEP 7 project file Examples\Modsl.
The call for the CP 441-2 is stored in the Station Modbus Slave 400 and the call for the
CP 341 is stored in the Station Modbus Slave 300.
The Modbus communications FB processes all the functions required for the data link.
The supplied MODBUS slave communication function block FB180/80 must be called in the
cyclic program of the user program. The MODBUS communications FB uses an instance
data block as the work area.
Note
Any modifications carried out to the supplied function block will invalidate the warranty.
Consequential damages cannot be claimed.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
19
Mode of Operation
4.1 Components of the SIMATIC / MODBUS Slave Data Link
MODBUS Slave Driver
The loadable driver realizes the MODBUS protocol and converts the MODBUS addresses in
the SIMATIC memory areas.
The loadable driver is loaded into SIMATIC using the parameter assignment tool CP:
Assigning Parameters to Point-To-Point Connections where it is automatically transferred
into the CP.
Parameters
The parameters and operating modes listed below must be set for the loadable driver using
the parameter assignment tool.
● Transmission rate, parity
● Slave address of CP
● Operating mode (normal, interference suppression)
● Multiplication factor for the character delay time
● Address areas for FC 01, 05, 15
● Address areas for FC 02
● Base DB number for FC 03, 06, 16
● Base DB number for FC 04
● Limits for write-only access
20
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Mode of Operation
4.2 Task Distribution
4.2
Task Distribution
Task distribution on the CP 341
With the CP 341 you will have to call the communication FB FB 80 for all function codes.
Task distribution on the CP 441
The CP 441 processes the function codes 01, 02, 03, 04, 06 and 16 on its own.
For function codes 05 and 15, the communication FB FB 180 carries out data input into the
SIMATIC memory area bit-by-bit.
4.3
Used MODBUS Function Codes
Used Function Codes
The following MODBUS function codes are supported by the driver:
Function code
Function in accordance with
MODBUS specification
General description
01
Read Coil Status
Read bits
02
Read Input Status
Read bits
03
Read Holding Registers
Read registers (words)
04
Read Input Registers
Read registers (words)
05
Force Single Coil
Write 1 bit
06
Preset Single Register
Write 1 register (word)
08
Loop Back Test
Line check
15
Force Multiple Coils
Write several bits
16
Preset Multiple Registers
Write several registers
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
21
Mode of Operation
4.4 Data Areas in the SIMATIC CPU
4.4
Data Areas in the SIMATIC CPU
Data areas
The individual FCs access the following SIMATIC data areas in the PLC:
Function code
MODBUS data type
SIMATIC data type
Type of access
01
Coil status
Memory bit
Read bit by bit
Outputs
Read bit by bit
Timers
Read bit by bit
(16-bit interval)
Counters
Read bit by bit
(16-bit interval)
Memory bit
Read bit by bit
Inputs
Read bit by bit
02
Input status
03
Holding registers
Data block
Read word by word
04
Input register
Data block
Read word by word
05
Single coil
Memory bit
Write bit by bit
Outputs
Write bit by bit
Data block
Write word by word
06
Single (holding) register
08
-
-
Mirror reception
15
Multiple coils
Memory bit
Write bit by bit
Outputs
Write bit by bit
Data block
Write word by word
16
Multiple (holding) registers
Address Transformation
The MODBUS address in the message frame is interpreted by the driver “in an S7 way” and
transformed in the SIMATIC memory area.
Access to the individual SIMATIC memory areas can be specified by the user by means of
the parameter assignment tool CP: Assigning Parameters to Point-To-Point Connections.
22
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Mode of Operation
4.5 Access with Bit-Orientated Function Codes
4.5
Access with Bit-Orientated Function Codes
Function Codes 01, 05 and 15
The bit-oriented function codes 01, 05 and 15 allow both read and write access to the
SIMATIC memory areas of memory bits, outputs, timers and counters;
Timers and counters are read-only with FC01.
You can use the parameter assignment tool to specify from/to which MODBUS address
access is made to memory bits, outputs, timers, and counters.
It is also possible to parameterize the data element in the SIMATIC memory area from which
access should begin.
02'%86DGGUHVVLQ
WUDQVPLVVLRQPHVVDJH
IUDPH
IURP
DDDD
WR
EEEE
IURP
FFFF
WR
GGGG
IURP
HHHH
WR
IIII
IURP
JJJJ
WR
KKKK
6,0$7,&PHPRU\DUHD
0HPRU\ELW FRPPHQFHDW0XXXXX
2XWSXWV FRPPHQFHDW4RRRRR
7LPHUV FRPPHQFHDW7WWWWW
&RXQWHUV FRPPHQFHDW&]]]]]
Function Code 02
The bit-oriented function code 02 permits read-only access to the SIMATIC memory areas
memory bits and inputs.
You can use the parameter assignment tool to specify from/to which MODBUS address
access is made to memory bits and inputs.
It is also possible to parameterize the data element in the SIMATIC memory area from which
access should begin.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
23
Mode of Operation
4.6 Access with Register-Orientated Function Codes
The MODBUS address areas and SIMATIC memory areas of FC 02 can be selected
independently from those of FC 01, 05, and 15.
02'%86DGGUHVVLQ
WUDQVPLVVLRQPHVVDJH
IUDPH
4.6
IURP
NNNN
WR
OOOO
IURP
QQQQ
WR
UUUU
6,0$7,&PHPRU\DUHD
0HPRU\ELW FRPPHQFHDW0YYYYY
,QSXWV FRPPHQFHDW,VVVVV
Access with Register-Orientated Function Codes
Function Codes 03, 06 and 16
The register-oriented function codes 03, 06 and 16 permit read and write access to the
SIMATIC data blocks memory area.
The required data block number is calculated in two steps.
1. The parameterization interface can be used to specify a base DB number. This base DB
will then be the first DB that can be accessed.
2. The MODBUS address Start_Register (register number) transmitted in the message
frame is interpreted as follows:
0RGEXVUHJLVWHUQXPEHU VWDUWBUHJLVWHU
2IIVHW'%QXPEHU
%LW
:RUGQXPEHU
Resulting DB number
The resulting DB number, which is then accessed, is obtained as follows:
Base DB number + Offset DB number.
This can be used to access a data block area consisting of 128 consecutive data blocks
within the entire addressable data block area of 65,535 DBs.
24
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Mode of Operation
4.6 Access with Register-Orientated Function Codes
Word number in the DB
The word number can be used to address the area from DBW 0 to DBW 1022 within each
data block.
The DBs, whose basic structure is organized in bytes, are in this instance interpreted by the
driver word-by-word as follows.
Word number
accesses
0
DBW 0
( = DBB 0/1)
1
DBW 2
( = DBB 2/3)
2
DBW 4
( = DBB 4/5)
3
DBW 6
( = DBB 6/7)
:
:
:
511
DBW 1022
( = DBB 1022/1023)
Function Code 04
The register-orientated function code 04 permits read-only access to the SIMATIC memory
area data blocks.
The way this access works is the same as with function codes 03, 06 and 16.
Function code 04 has its own base DB number available for free parameter assignment with
the parameter assignment tool. This will enable you to select a second independent area
consisting of 128 DBs.
However, these DBs have read-only access; it is not possible to write to them.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
25
Mode of Operation
4.7 Enable/disable Write Access
4.7
Enable/disable Write Access
Function Codes 05, 06, 15 and 16
For the write function codes 05, 06, 15 and 16, it is possible to disable or restrict access to
the relevant SIMATIC memory areas.
You can use the parameter assignment tool to specify an area which enables write access
from the MODBUS master system.
If the master tries to access SIMATIC memory areas that are outside this enabled area,
access is denied by an error message frame (exception).
Enable Write Access
6,0$7,&PHPRU\DUHD
'DWDEORFNV
UHVXOWLQJ'%QXPEHU
0,1'%QR
0$;'%1R
0HPRU\ELWV0
0,10 %\WH
0$;0 %\WH
2XWSXWV4
0,1$ %\WH
0$;$ %\WH
26
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5
General Information
The tasks relating to STEP 7 described below refer to STEP 7 Version 5.3.
Sequences, names and directory information can differ in later versions.
5.1
Installing the Driver on the STEP 7 Programming Device/PC
Introduction
To install the driver, consisting of driver code and driver-specific mask files, proceed as
follows:
1. Insert your MODBUS Slave CD in the CD-ROM drive.
2. In Windows, start the dialog for installing software by double-clicking the "Add and
Remove Programs" icon in the "Control Panel".
3. In the dialog box, select the CD-ROM drive and then the setup.exe file and start the
installation process.
4. Follow the instructions displayed on the installation program step by step.
Result: The driver and the parameter assignment screen forms are installed in the following
directory: Step7\S7fptp\S7Driver.
The directory contains among other things the following files:
● S7wfpb1a.dll
● S7wfpb1x.cod
● S7wfpb2x.cod
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
27
Commissioning the Driver
5.2 Uninstalling the Driver
5.2
Uninstalling the Driver
Introduction
You can uninstall the driver from the STEP 7 package in Windows using "Control Panel",
"Add/Remove Software" and "Uninstall".
Afterwards, you can verify that all files S7wfpb1?.*, S7wfpb2?.*, S7wfpb3?.* have been
deleted from the Step7\S7fptp\S7Driver directory.
Note
Prior to uninstallation of the package "Parameter Assignment Tool CP: Assigning
Parameters to Point-To-Point Connections" it is essential to uninstall all the loadable drivers.
5.3
Configuring the Data Link
Introduction
The configuration of a data link comprises the hardware allocation in the configuration table
using HW config. The configuration can be carried out using the STEP 7 software.
5.3.1
Configuring a Data Link with the CP 341
S7 Project
Before you can carry out the configuration, you must have created a S7 project with STEP 7.
Project Components
Insert the required project components into the opened project with the SIMATIC Manager:
● SIMATIC 300 station.
Before each insertion, you must select the required project by clicking it.
Insert > Station > SIMATIC 300 station
28
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5.3 Configuring the Data Link
Hardware Configuration
The configuration of the hardware comprises defining the hardware components themselves,
and also their properties.
To start the hardware configuration, select the SIMATIC 300 station and double-click
“Hardware” or select the menu command "Edit > Open Object".
Use the menu command "Insert > Hardware Components" to insert the following
components:
● from SIMATIC 300 a RACK-300, a PS-300 and a CPU-300
● from CP-300 the CP PtP with the appropriate order number.
A detailed description of how to configure S7 -300 modules can be found in the User Manual
for STEP 7.
5.3.2
Configuring a Data Link with the CP 441-2
Introduction
For a point-to-point data link, you must configure a SIMATIC 400 station, the link partner
station, the PtP nodes, and the PtP network.
S7 Project
Before you can carry out the configuration, you must have created a S7 project with STEP 7.
Project Components
Insert the required project components into the opened project with the SIMATIC Manager:
● SIMATIC station, other station, PtP network.
Before each insertion, you must select the required project by clicking it.
– Insert > Station > SIMATIC 400 Station
for your own S7 program (Rack, PS, CPU, CP 441-2, ...),
– Insert > Station > Other Station
for the data link partner,
– Insert > Subnet > PtP
for a PtP network between the SIMATIC 400 Station and the data link partner.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
29
Commissioning the Driver
5.3 Configuring the Data Link
Hardware Configuration
The configuration of the hardware comprises defining the hardware components themselves,
and also their properties.
To start the hardware configuration, select the SIMATIC 400 station and double-click
“Hardware” or select the menu command "Edit > Open Object".
Use the menu command "Insert > Hardware Components" to insert the following
components:
● from SIMATIC 400 a RACK-400, a PS-400 and a CPU-400
● from CP-400 the CP PtP with the appropriate order number.
A detailed description of how to configure S7 400 modules can be found in the User Manual
for STEP 7.
30
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5.4 Assigning Parameters to the CP
5.4
Assigning Parameters to the CP
5.4.1
Assigning Parameters to the CP
Assigning Parameters to the CP
After you have arranged the modules in your rack using “Hardware Configuration,” you must
assign parameters to them.
To start the parameter assignment tool, double-click the CP in “Hardware Configuration” or
click the CP and select the menu command Edit > Object Properties.
5.4.2
Assigning Parameters to the CP 341
Follow the steps below:
1. Properties - CP > Basic Parameters
Clicking the Parameters" button (single click) opens the protocol selection interface
"Assigning Parameters to Point-To-Point Connections". Here you can select the required
transmission protocol.
After selecting the Protocol, you can carry out Parameter Assignment of the Driver (start
by double-clicking the letter symbol).
A detailed description of how to select the protocol and assign parameters to the dialog
boxes for the loadable driver can be found in the section "Assigning parameters to the
driver (Page 35)".
After parameter assignment is complete, you return to the "Properties - CP" dialog box.
2. Properties - CP > Addresses
No settings are required in the "Addresses" tab of the Properties - CP dialog box.
3. Properties - CP > General
No settings are required in the "General" tab of the Properties - CP dialog box.
You can complete the parameter assignment of the CP by clicking “OK” in the “Properties
- CP” dialog box. You then return to the “Hardware Configuration” dialog box.
Save the parameter assignment and close the “Hardware Configuration” dialog box. You
return to the main menu of the STEP 7 project.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
31
Commissioning the Driver
5.4 Assigning Parameters to the CP
5.4.3
Assigning Parameters to the CP 441-2
Follow the steps below:
1. Properties - CP 441-2 > Basic Parameters
Specify the required "interface" of the CP 441 module (1=upper, 2=lower interface) in the
"Basic Parameters" tab. Select the inserted interface submodule as the "Module".
Clicking the Parameters" button (single click) opens the protocol selection interface
"Assigning Parameters to Point-To-Point Connections".
Here you can select the required transmission protocol.
After selecting the Protocol, you can carry out Parameter Assignment of the Driver. Start
by double-clicking the letter symbol.
A detailed description of how to select the protocol and assign parameters to the dialog
boxes for the loadable driver can be found in the section "Assigning parameters to the
loadable driver (Page 35)".
After parameter assignment is complete, you return to the "Properties - CP441-2" dialog
box.
2. Properties - CP 441-2 > Addresses
No settings are required in the "Addresses" tab of the Properties - CP 441-2 dialog box.
3. Properties - CP 441-2 > General
In the "General" tab of the Properties - CP 441-2 dialog box, you specify to which
PtP network the interfaces of the CP are connected.
PtP(1) corresponds to the upper interface, PtP(2) to the lower interface of the CP.
Clicking the PtP(1) or PtP(2) button opens the dialog box for configuration of the subnet.
Select the required subnet and activate the checkbox “Partner is connected to the
selected network.”
The selected subnet represents the connection of the CP interface to the link partner
interface.
Click “OK” to return to the "Properties - CP 441-2" dialog box. Here you complete
parameter assignment of the CP with “OK” and return to the “Hardware Configuration”
dialog box.
Save the parameter assignment and close the “Hardware Configuration” dialog box. You
return to the main menu of the STEP 7 project.
32
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5.4 Assigning Parameters to the CP
Assigning Parameters to the Link Partner
After you have inserted the link partner station into your STEP 7 project, as described under
“Project Components: Insert > Other Station,” you have to specify the object properties of
this partner station.
Starting from the opened STEP 7 project, you can select the link partner station (other
station) by clicking it.
Select the menu command Edit > Object Properties.
This opens the “Properties - Other Station” dialog box.
1. Properties - Other Station > Node List
Select the “New” button in the "Node List" tab.
At “Select Type,” choose “PTP Nodes” and click “OK.”
The dialog box "Network Connection" appears.
Select the required subnet which represents the connection between CP interface and
link partner interface, and activate the checkbox "Node is connected to selected network."
Click “OK” to return to the “Node List” tab.
2. Properties - Other Station > General
You do not have to carry out any settings in the "General" tab.
Click "OK" to return to the main menu of the STEP 7 project.
A partner station may also have several interfaces (=PtP nodes) and may be connected
to different point-to-point networks.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
33
Commissioning the Driver
5.5 Configuration of the Data Link
5.5
Configuration of the Data Link
Introduction
This chapter is relevant only for the CP 441-2. If you are using a CP 341, you can skip this
chapter.
Communications Link
The CP represents the link in a data link between a S7 CPU and a communications
partner/bus connected via a point-to-point data link. You must carry out data link
configuration for each serial interface to be connected to the link partner/bus.
Configuration of the Data Link
Select the CPU in the STEP 7 project in its own opened S7-400 station and open the
configuration of the data link by double-clicking "Connections".
The dialog box “Carry Out Project Configuration of Connections” appears.
Select the menu command Insert > Connection to open the "New Connection" dialog box.
Here you can select the link partner (other station) for the new data link and select "Point-toPoint Connection" as the connection type.
Confirm with "OK." The "Connection Properties" dialog box is now opened.
Connection Properties
You are given an ID which you can modify if required.
Select "Communication Direction 3: Local <-> Partner".
The parameterized routing is displayed.
Both indications of a CPU number are irrelevant for the operation of this driver.
Accept all settings with “OK.”
Save the “Project Configuration of Data Link” and close the dialog box.
You should note that the Connection ID (Local ID) must be used again when you call the
MODBUS communications FB in the user program.
34
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
5.6
Assigning parameters to the loadable driver
Opening the Parameter Assignment Tool CP-PtP
Select the SIMATIC station and double-click "Hardware" or select "Edit > Open object" to
start up "Configure hardware".
Select the CP and then select Edit > Object Properties.
Select the interface (CP 441-2 only) and the interface module (CP 441-2 only) and then
select the "Parameters" button to open the protocol selection dialog box.
Protocol Selection
In addition to the standard protocols, the selection dialog box also displays any installed
loadable drivers. Select "MODBUS Slave" for this driver.
Double-click the mailbox icon for the transmission protocol. This takes you to the dialog box
for setting the protocol-specific parameters.
Driver-Specific Parameters
The parameters described below can be set for this driver in the individual dialog boxes.
5.6.1
MODBUS Slave Protocol
Overview of transmission parameters
Table 5- 1
Rate, character frame
Parameter
Description
Value range
Default value
Baud rate
Data transmission speed in bit/s
300
600
1200
2400
4800
9600
19200
38400
76800
9600
Additional baud rate in CP 341 with these order numbers:
 6ES7341-1xH01-0AE0
 6ES7341-1xH02-0AE0
57600
Additional baud rates in CP 441-2 with these order numbers:
 6ES7441-2AA03-0AE0
 6ES7441-2AA04-0AE0
57600
115200
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
35
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
Parameter
Description
Value range
Default value
Data bits
Bits per character
8
8
Stop bits
Number of stop bits
1
2
1
Parity
No parity bit transferred.
None
Even
The number of data bits is supplemented
to form an odd number.
Odd
The number of data bits is supplemented
to form an even number.
Even
Transmission rate
The transmission rate is the speed of data transmission in bits per second (baud).
Note the maximum total transmission rate of the CP 441-2. The total transmission rate is the
sum of the transmission rates parameterized for the two interfaces.
The maximum transmission rate for the TTY interface is 19200 baud.
Data Bits
The number of data bits describes how many bits a character is mapped to for transmission
purposes.
Stop Bits
The number of stop bits defines the smallest possible time interval between two characters
to be transmitted.
Parity
The parity bit is used for data security. Depending on the parameter assignment, it
supplements the number of data bits to be transmitted to form an even or odd number.
If a parity of "none" has been set, no parity bit is transmitted. This reduces the transmission
integrity.
36
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
Overview of the protocol parameters
Table 5- 2
Protocol parameters
Parameters
Description
Value range
Default value
Slave Address
Own slave address of the CP
1 to 255
222
Activate operating
mode selection
with RS485
Enables the selection of
"Normal operation" in Halfduplex (RS485) two-wire
mode.
Yes
No
Operating mode
"Normal" operation
Normal
operation
"Interference suppression"
Multiplier
character delay
time
Multiplication factor for
transmission rate-dependent
character delay time
No

Interference
suppression

1 to 10
1
in "Full-duplex (RS422)
four-wire mode": Normal
operation
in "Half-duplex (RS485)
two-wire mode":
Interference suppression
Slave address
Here you can specify the separate MODBUS Slave address to which the CP should reply.
The CP only replies to message frames where the received slave address is identical to the
parameterized slave address. Message frames to other slaves are not checked and do not
receive a response.
Activate operating mode selection with RS485
After activating the "Operating mode selection with the RS485", you can also switch the
operating mode to "Normal operation" in the tab "Interface" if you have selected Half-duplex
(RS485) two-wire mode.
Normal operation
In this operating mode, all detected transmission errors or BREAKs before and after receive
message frames from the link partner result in an appropriate error message.
The first character of a frame has to be a valid slave address.
The end of message frame is only recognized when the character delay time expires.
Interference Suppression
If BREAK is detected on the receiving line at the start of a receive message frame, or if the
CP interface block detects transmission errors, this does not result in an error message in
the user program.
Transmission errors or BREAKs are also ignored when they occur after the end of the
receive message frame (CRC code).
The start of a receive message frame from the link partner is detected by means of the
correctly received slave address.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
37
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
Multiplier character delay time
If a link partner cannot meet the time requirements of the MODBUS specification, it is
possible to multiply the character delay time ZVZ by the multiplication factor fMUL. The
character delay time should only be adjusted if the link partner cannot meet the required
times.
The resulting character delay time tZVZ is calculated as follows:
● tZVZ = tZVZ_TAB * fMUL
● tZVZ_TAB: Table value for ZVZ (see section "Transmission protocol")
● fMUL: Multiplication factor
5.6.2
Conversion of MODBUS Addresses for Bit Functions
Overview of FC 01, 05, 15
Table 5- 3
Converting MODBUS addressing for FC 01, 05 and 15
Parameters
Input
Meaning
SIMATIC area Memory bits
MODBUS address in
transmission message frame
from
0 .. 65535
(decimal)
Starting with this MODBUS address
(Bit number)
to
0 .. 65535
(decimal)
Including this MODBUS address
SIMATIC memory area
Memory bits
(Memory byte number)
commence
at
0 .. 65535
(decimal)
Commence at this memory byte
MODBUS address in
transmission message frame
from
0 .. 65535
(decimal)
Starting with this MODBUS address
(Bit number)
to
0 .. 65535
(decimal)
Including this MODBUS address
SIMATIC memory area
Outputs
(Output byte number)
commence
at
0 .. 65535
(decimal)
Commence at this output byte
MODBUS address in
transmission message frame
from
0 .. 65535
(decimal)
Starting with this MODBUS address
(Bit number)
to
0 .. 65535
(decimal)
Including this MODBUS address
SIMATIC memory area
Timers
(Timer number)
commence
at
0 .. 65535
(decimal)
Commence at this timer
(= 16-bit word)
SIMATIC area Outputs
SIMATIC area Timers
38
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
Parameters
Input
Meaning
SIMATIC area Counter
MODBUS address in the
from
0 .. 65535
(decimal)
Starting with this MODBUS address
(Bit number)
to
0 .. 65535
(decimal)
Including this MODBUS address
SIMATIC memory area
commence
at
0 .. 65535
(decimal)
Commence at this counter
(= 16-bit word)
transmission message frame
Counter
(Counter number)
"from"/"to" MODBUS Address
You can use the “from” address to assign parameters to the MODBUS address which is the
start of the appropriate area; for example, memory bits, outputs, etc. (= first bit number of
area).
You can use the “to” address to assign parameters to the MODBUS address which is the
end of the appropriate area; for example, memory bits, outputs, etc. (= last bit number of
area).
The "from"/"to" addresses refer to the MODBUS address in the transmission message frame
(bit numbers commencing at 0) for function codes FC 01, 05 and 15.
The individual "from/to" areas must not overlap.
Gaps between the individual "from/to" areas are permitted.
"commence at" SIMATIC Memory Area
"Commence at" can be used to specify the start of the SIMATIC area to which the "from/to"
MODBUS area is mapped (= first memory byte/output byte/timer/counter number of the
SIMATIC area).
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
39
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
Example
02'%86DGGUHVVLQ
WUDQVPLVVLRQPHVVDJH
IUDPH
IURP
WR
IURP
WR
IURP
WR
IURP
WR
6,0$7,&PHPRU\DUHD
0HPRU\ELW FRPPHQFHDW0
2XWSXWV
FRPPHQFHDW4
7LPHUV
FRPPHQFHDW7
&RXQWHUV
FRPPHQFHDW&
The MODBUS addresses from 0 to 2047 access the SIMATIC memory bits commencing at
memory bit M 1000.0; i.e. length of area = 2048 bits = 256 bytes, which means last memory
bit = M 1255.7.
The MODBUS addresses from 2048 to 2559 access the SIMATIC outputs commencing at
output Q 256.0; i.e. length of area = 512 bits = 64 bytes, which means last output bit = Q
319.7.
The MODBUS addresses from 4096 to 4255 access the SIMATIC timers commencing at
timer T 100; i.e. length of area = 160 bits = 10 words, which means last timer = T 109.
The MODBUS addresses from 4256 to 4415 access the SIMATIC counters commencing at
counter C 120; i.e. length of area = 160 bits = 10 words, which means last counter = C 129.
Overview of FC 02
Table 5- 4
Converting MODBUS addressing for FC 02
Parameters
Input
Meaning
SIMATIC area memory bits
MODBUS address in
transmission message frame
from
0 .. 65535
(decimal)
Starting with this MODBUS address
(Bit number)
to
0 .. 65535
(decimal)
Including this MODBUS address
SIMATIC memory area memory
bits
(Memory byte number)
commence
at
0 .. 65535
(decimal)
Commence at this memory byte
MODBUS address in
transmission message frame
from
0 .. 65535
(decimal)
Starting with this MODBUS address
(Bit number)
to
0 .. 65535
(decimal)
Including this MODBUS address
SIMATIC area Inputs
40
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
Parameters
SIMATIC memory area Inputs
(Input byte number)
commence
at
Input
Meaning
0 .. 65535
(decimal)
Commence at this input byte
"from"/"to" MODBUS Address
You can use the “from” address to assign parameters to the MODBUS address which is the
start of the appropriate area; for example, memory bits, outputs (= first bit number of area).
You can use the "to" address to assign parameters to the MODBUS address which is the
end of the appropriate area (= last bit number of area).
The "from/to" addresses refer to the MODBUS address in the transmission message frame
(bit numbers commencing at 0) for the function code FC 02.
The individual "from/to" areas must not overlap.
Gaps between the individual "from/to" areas are permitted.
"commence at" SIMATIC Memory Area
"Commence at" can be used to specify the start of the SIMATIC area to which the "from/to"
MODBUS area is mapped (= first memory byte/input byte number of the SIMATIC area).
Example
02'%86DGGUHVVLQ
WUDQVPLVVLRQPHVVDJH
IUDPH
IURP
WR
IURP
WR
6,0$7,&PHPRU\DUHD
0HPRU\ELW FRPPHQFHDW0
,QSXWV FRPPHQFHDW,
The MODBUS addresses from 0 to 4095 access the SIMATIC memory bits commencing at
memory bit M 0.0; i.e. length of area = 4096 bits = 512 bytes, which means last memory bit =
M 511.7.
The MODBUS addresses from 4096 to 5119 access the SIMATIC inputs commencing at
input I 128.0; i.e. length of area = 1024 bits = 128 bytes, which means last input bit = I 255.7.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
41
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
Note
The value entered for "commence at memory bit" is completely independent of the value
entered for "commence at memory bit" for function codes 01, 05 and 15.
This means that with FC 02 it is possible to use a second SIMATIC memory bit area (readonly) that is completely independent of the first.
There is no point in defining memory bytes for simultaneous access with both FC01 and
FC02!
5.6.3
Conversion of MODBUS Addresses for Register Functions
Overview of FC 03, 06 and16
Table 5- 5
Converting MODBUS addressing for function codes FC 03, 06 and 16
Parameters
Input
Meaning
1 .. 65535
(decimal)
Commence at this data block
Commence at DBW 0
(= base DB number)
SIMATIC area Data blocks
MODBUS address = 0 in transmission message
frame
(register number) means access to:
SIMATIC memory area
Data blocks
commence
at DB
"commence at DB"
"Commence at DB" can be used to specify the first data block of the SIMATIC area to be
accessed (=base DB number).
This DB is accessed when the register number of the MODBUS message frame has the
value 0, starting from data word DBW 0.
Higher MODBUS register numbers access the data words/data blocks that follow this.
Up to 127 successive DBs can be addressed. The driver interprets bits 9 - 15 of the
MODBUS register number for the purpose of accessing the individual successive DBs
(please note the information in the section "Function Codes (Page 73)").
42
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
Example
02'%86DGGUHVVLQ
WUDQVPLVVLRQPHVVDJH
IUDPH
5HJLVWHUQXPEHU PHDQV$FFHVVWR
6,0$7,&PHPRU\DUHD
'DWDEORFNV FRPPHQFHDW'% MODBUS register address 0 can be used to access data block 800 commencing at DBW 0
in the SIMATIC system. Higher MODBUS register addresses (≥ 512, etc.) access the DBs
that follow this, such as DB 801 and so on.
Overview of FC 04
Table 5- 6
Converting MODBUS addressing for FC 04
Parameters
Input
Meaning
SIMATIC area Data blocks
MODBUS address = 0 in
transmission message frame
(register number) means access to:
SIMATIC memory area
Data blocks
commence at 1 .. 65535
DB
(decimal)
Commence at this data block
Commence at DBW 0
(= base DB number)
"commence at DB"
"Commence at DB" can be used to specify the first data block of the SIMATIC area to be
accessed (=base DB number).
This DB is accessed when the register number of the MODBUS message frame has the
value 0, starting from data word DBW 0.
Higher MODBUS register numbers access the data words/data blocks that follow this.
Up to 127 successive DBs can be addressed. The driver interprets bits 9 - 15 of the
MODBUS register number for the purpose of accessing the individual successive DBs
(please note the information in the section "Function Codes (Page 73)").
Note
The value entered for "commence at DB" is completely independent of the value entered for
"commence at DB" for function codes 03, 06 and 16.
This means that with FC 04 it is possible to use a second SIMATIC data block area (readonly) that is completely independent of the first.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
43
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
Example
02'%86DGGUHVVLQ
WUDQVPLVVLRQPHVVDJH
IUDPH
5HJLVWHUQXPEHU PHDQV$FFHVVWR
6,0$7,&PHPRU\DUHD
'DWDEORFNV FRPPHQFHDW'% MODBUS register address 0 can be used to access data block 1200 commencing at DBW 0
in the SIMATIC system. Higher MODBUS register addresses (≥ 512, 1024 etc.) access the
DBs that follow this, such as DB 1201, 1202 and so on.
5.6.4
Limits for Write Functions
Overview of FC 05, 06, 15 and 16
Table 5- 7
SIMATIC limits for write access (FC 05, 06, 15 and 16)
Parameters
Data block DB:
Resulting DB number
Input
Meaning
MIN
1 to 65535
First enabled DB
MAX
1 to 65535
Last enabled DB
MAX= 0 all DBs disabled
Memory bits M
(Memory byte number)
MIN
0 to 65535
First enabled memory byte
MAX
1 to 65535
Last enabled memory byte
MIN
0 to 65535
First enabled output byte
MAX
1 to 65535
Last enabled output byte
MAX= 0 all memory bits disabled
Outputs Q
(Output byte number)
MAX= 0 all outputs disabled
"MIN" / "MAX" SIMATIC Memory Area
For the write function codes, it is possible to specify lower and upper access limits
(MIN/MAX). Write access is possible within enabled area only.
If the value for the upper limit is 0, the entire area is disabled.
When selecting the size of the enabled area, remember which CPU it refers to.
If the master attempts write access to an area outside the upper/lower limit, this is rejected
by the CP with an error message frame.
The MIN/MAX values for the data blocks area must be specified as resulting DB numbers.
44
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
Example
6,0$7,&PHPRU\DUHD
'DWDEORFNV
UHVXOWLQJ'%QXPEHU
0,1'% 0$;'% 0HPRU\ELWV0
2XWSXWV4
0,1
0$;
0,1
0$;
The SIMATIC data blocks DB 600 to DB 699 can be accessed with write function codes FC
06 and 16.
The SIMATIC memory bytes MB 1000 to MB 1127 can be accessed with the write function
codes FC 05 and 15).
The SIMATIC outputs output bytes QB 256 to QB 319 can be accessed with the write
function codes FC 05 and 15.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
45
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
5.6.5
RS422/485 (X27) Interface
Overview
Table 5- 8
RS422/485 (X27) Interface
Parameters
Description
Value range
Default value

Operating mode Specifies whether the RS
422/485 (X27) interface is to
be run in full-duplex mode

(RS 422) or half-duplex
mode (RS 485).
Full-duplex (RS 422)
four-wire mode
Half-duplex (RS 485)
two-wire mode
Full-duplex (RS 422)
four-wire mode
Initial state of
the receive line
None
Signal R(A) 5V /
Signal R(B) 0V (break
detection)1
Signal R(A) 0V /
Signal R(B) 5V

None:
The two-wire line R(A),R(B)
is not initialized. In this
instance initialization should
be carried out by the link
partner.



Signal R(A) 5V /
Signal R(B) 0V (break
detection):
This default setting supports
break detection in "Fullduplex (RS422) 4-wire
mode." Cannot be selected
for "Half-duplex (RS485)
two-wire mode"

in "Full-duplex
(RS422) four-wire
mode":
Signal R(A) 5V /
Signal R(B) 0V
(break detection)1
in "Half-duplex
(RS485) two-wire
mode":
Signal R(A) 0V /
Signal R(B) 5V
Signal R(A) 0 V /
Signal R(B) 5V:
This initial state corresponds
to idle state (no senders
active) in "Half-duplex (RS
485) two-wire mode". Break
detection is not possible
with this initial state.
1 Only in the case of "Full-duplex (RS 422) four-wire mode"
"Full-duplex (RS422) four-wire operation"
In this operating mode, transmission is via the transmission line T(A)-, T(B)+ and receipt is
via the receive line R(A)-, R(B)+.
Error handling is carried out in accordance with the functionality set at the "driver operating
mode" parameter (normal operation or interference suppression).
46
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5.6 Assigning parameters to the loadable driver
"Half-duplex (RS485) two-wire mode"
In this operating mode, the driver switches the interface's 2-wire receive line R(A)-, R(B)+
between send and receive operation.
In the initialization settings for this operating mode, all recognized transmission errors and/or
BREAK before and after receive message frames are ignored.
BREAK level during message frame pauses is also ignored.
The start of a receive message frame from the link partner is detected by means of the
correctly received slave address.
The setting "Signal R(A) 0V, R(B) 5V" is recommended for a node as the initial state for the
receive line. "Receive line initial state" should set to "None" for all other nodes.
Receive line initial state
"None"
The two-wire line R(A)-,R(B)+ is not initialized. In this instance initialization should be carried
out by the link partner.
Initialization "R(A) 5V, R(B) 0V" (BREAK)
The two-wire line R(A)-, R(B)+ is initialized by the CP as follows:
R(A) --> +5V, R(B) --> 0V (VA - VB ≥ +0.3V).
This means that BREAK level occurs on the CP in the event of a line break.
This option can be selected only in the case of "Full-duplex (RS 422) four-wire mode".
Initialization "R(A) 0V, R(B) 5V"
The two-wire line R(A)-, R(B)+ is initialized by the CP as follows:
R(A) --> 0V, R(B) --> +5V (VA - VB ≤ -0.3V).
This means that HIGH level occurs on the CP in the event of a line break and/or idle state
when nothing is transmitting. The BREAK line state cannot be detected.
Selection of parameters
Select the settings necessary for your connection and exit the individual screen forms with
"OK".
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
47
Commissioning the Driver
5.7 Loading the Configuration and Parameter Assignment Data for the CP 341
5.7
Loading the Configuration and Parameter Assignment Data for the
CP 341
Data Storage
When you close the "hardware configuration" the data are automatically stored in your
STEP 7 project.
Loading the Configuration and Parameters
You can now load the configuration and parameter assignment data online from the
programming device to the CPU. Select the Target system > Load menu command to
transfer the data to the CPU.
When the CPU is started up, and whenever the CPU switches from STOP to RUN mode or
vice versa, the module parameters of the CP are automatically transferred from the CPU to
the CP as soon as the CP can be accessed via the S7300 backplane bus.
The driver code is not stored in the CPU but rather directly on the CP 341 in the retentive
memory using the parameter assignment interface. Note, however, that for this reason you
will not be able to replace a module without a programming device.
Further Information
The STEP 7 User Manual provides a detailed description of how to:
● Save the configuration and parameters
● Load the configuration and parameters to the CPU
● Read, modify, copy and print the configuration and parameters.
48
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5.8 Loading drivers to the CP 341
5.8
Loading drivers to the CP 341
Requirements
You have an online connection to the CPU.
Load drivers
1. Select the desired loadable driver in the "Protocol" drop-down list in the "Assigning
Parameters to Point-to-Point Connection" window.
2. Click the "Load drivers" icon.
In the "Load drivers to CP341" window, you see the driver version loaded online on the
module and the driver version you have selected offline on the programming device.
3. Click the "Load drivers" button and confirm with "Yes".
The driver will be loaded to the CP 341.
After loading is complete, the information "Driver version online on the module" will be
updated.
If the driver you have loaded is already located on the CP 341, the loading operation will
be canceled with the message "Driver already exists". In this case, confirm with "OK" and
close the "Download Drivers to CP341" window.
If driver files are missing or incorrect, you receive the error message "Module rejected
driver download". In this case, you must repeat the driver installation.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
49
Commissioning the Driver
5.9 Loading the Configuration and Parameter Assignment data for the CP 441-2
5.9
Loading the Configuration and Parameter Assignment data for the
CP 441-2
Data Storage
When you close the "hardware configuration" and/or "configuration of connections” the data
including module parameters and driver codes are automatically stored in your STEP 7
project.
Loading the Configuration and Parameters
You can now load the configuration and parameter assignment data online from the
programming device to the CPU. Select the Target system > Load menu command to
transfer the data to the CPU.
When the CPU is started up, the module parameters of the CP are automatically transferred
from the CPU to the CP as soon as the CP can be accessed via the S7400 backplane bus.
Further Information
The STEP 7 User Manual provides a detailed description of how to:
● Save the configuration and parameters
● Load the configuration and parameters to the CPU
● Read, modify, copy and print the configuration and parameters.
5.10
Startup Characteristics of the CP
Introduction
The startup of the CP is divided into two phases:
● Initialization with CP in power on mode
● Parameter Assignment
Initialization
As soon as voltage is applied to the CP, and after completion of a hardware test program,
the firmware on the CP is prepared for operation.
Parameter Assignment
During parameter assignment, the CP receives the module parameters allocated to the
current slot.
The CP is now ready to operate.
50
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Driver
5.11 Parameter Assignment for "Startup of the CPU"
5.11
Parameter Assignment for "Startup of the CPU"
Introduction
This chapter is relevant only for the CP 441-2. If you are using a CP 341, you can skip this
chapter.
Hardware Configuration
To avoid problems during startup of the CPU-CP, the following setting should be made when
carrying out parameter assignment of the CPU with "Hardware configuration".
After starting the parameter assignment by double-clicking the CPU or by clicking the CPU
and selecting the menu command Edit > Object properties, the "Properties - CPU" page
appears.
In the "Startup" tab, set a minimum value of 1000 (= 100s) under "Monitoring Time for" at the
point "Transfer of Parameters to Modules (100ms).
Reason: In the case of parameter assignment of a CP 441-2 interface with a loadable driver,
the driver code is transferred to the CP in addition to the assigned parameters. The entire
loading procedure is monitored for the time mentioned above which must be sufficient.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
51
Commissioning the Driver
5.11 Parameter Assignment for "Startup of the CPU"
52
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Communications FB
6.1
6
Installing the FB
Supplied CD
The MODBUS slave communications FB is part of a STEP 7 project which is stored to the
directory EXAMPLES of the STEP 7 software under the name “Modsl” for CP 441-2 or CP
341 when the driver is installed in the library Modbus.
You should ensure that there is not already a project with the same name.
Transfer
1. The project file Modsl contains a complete STEP 7 project in the form of a loadable
example.
2. Transfer the MODBUS communications FB 180 for CP 441-2 or FB 80 for CP 341 to your
user project if you wish to continue working in your own user project.
3. If required, transfer the startup OBs OB 100 and OB 101, the cyclic OB 1, and DB 180 or
DB 80 to your user project.
This will enable you to access the call example for the communications FB, as well as a
completed instance DB for the FB.
Note
OB 1 and OB 100/OB 101 can also be generated themselves.
If the instance DB is not included in the transfer, it must be generated when calling FB 180 or
FB 80 in OB 1/OB 100/OB 101.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
53
Commissioning the Communications FB
6.2 STEP 7 project
6.2
STEP 7 project
STEP 7 Project
The STEP 7 project file Modsl contains a complete project in the form of a loadable example
consisting of:
● Hardware configuration with UR1, PS, CPU and CP
● CP parameter assignment
● STEP 7 program with OBs and MODBUS communications FB
The blocks in the program file are to be understood as examples only and may be changed
by the user according to his requirements.
If necessary, the MODBUS communications FB may be renamed as required.
Contents of Modsl for CP 341
The project file example contains the following:
FB 80
Function block
MODBUS slave communications FB for CP 341
DB 80
Instance DB
Instance DB and work area for MODBUS FB
OB 1
Example OB
Cyclic program
OB 100
Example OB
Cold restart
FB 7
P_RCV_RK
Receive data
FB 8
P_SND_RK
Send data
SFC 36
MSK_FLT
Mask synchronous error events
SFC 37
DMSK_FLT
Unmask synchronous error events
SFC 38
READ_ERR
Read event status register
SFC 41
DIS_AIRT
Delay interrupts
SFC 42
EN_AIRT
Enable interrupts
SFC 51
RDSYSST
Read system area (SZL) of CPU
The SFCs are integrated in the CPU, the variable tables have been added for diagnostic
purposes only.
54
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Communications FB
6.2 STEP 7 project
Contents of Modsl for CP 441-2
The project file example contains the following:
FB 180
Function block
MODBUS slave communications FB for CP 441-2
DB 180
Instance DB
Instance DB and work area for MODBUS FB
OB 1
Example OB
Cyclic program
OB 100
Example OB
Cold restart
OB 101
Example OB
Hot restart
SFB 12
BSEND
Send data block-orientated
SFB 22
STATUS
Read error message area SYSTAT
SFC 36
MSK_FLT
Mask synchronous error events
SFC 37
DMSK_FLT
Unmask synchronous error events
SFC 38
READ_ERR
Read event status register
SFC 41
DIS_AIRT
Delay interrupts
SFC 42
EN_AIRT
Enable
SFC 51
RDSYSST
Read system area (SZL) of CPU
The SFBs and SFCs are integrated in the CPU, the variable tables have been added for
diagnostic purposes only.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
55
Commissioning the Communications FB
6.3 FB 80 Parameters (CP 341)
6.3
FB 80 Parameters (CP 341)
Overview
Name
Type
Data type
Meaning
Permitted assignment
LADDR
I
Int
Base address of the CP
Use HW Config assignment
START_TIMER
I
Timer
Timer for timeout initialization
START_TIME
I
S5Time
Time value timeout
initialization
OB_MASK
I
BOOL
Mask I/O access errors, delay
interrupts
FALSE:
I/O access errors are not masked.
TRUE:
I/O access errors are masked and
interrupts are delayed.
CP_START
I
BOOL
Start FB initialization
CP_START_FM
I
BOOL
The initialization is activated
with the rising edge of
CP_START.
CP_START_NDR
O
BOOL
Info: write job from CP
CP_START_OK
O
BOOL
Startup completed without
error
CP_START_ERROR
O
BOOL
Startup completed with error
TRUE:
The initialization job could be completed
without error before the monitoring time
elapsed.
TRUE:
The initialization job could not be
completed without error even after the
monitoring time had elapsed.
ERROR_NR
O
Word
Error number
Assignment, see diagnostics
ERROR_INFO
O
Word
Error additional info
Assignment, see diagnostics
56
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Communications FB
6.4 FB 180 Parameters (CP 441-2)
6.4
FB 180 Parameters (CP 441-2)
Overview
Name
Type
Data type
Meaning
Permitted assignment
ID
I
Word
Connection ID
Connection ID from configuration of the
data link.
START_TIMER
I
Timer
Timer for timeout initialization
START_TIME
I
S5Time
Time value timeout
initialization
STATUS_TIMER
I
Timer
Read Timer for SYSTAT
STATUS_TIME
I
S5Time
Read time interval for SYSTAT
OB_MASK
I
BOOL
Mask I/O access errors, delay
interrupts
FALSE:
I/O access errors are not masked.
TRUE:
I/O access errors are masked and
interrupts are delayed.
CP_START
I
BOOL
Start FB initialization
CP_START_FM
I
BOOL
The initialization is activated
with the rising edge of
CP_START.
CP_START_NDR
O
BOOL
Info: write job from CP
CP_START_OK
O
BOOL
Startup completed without
error
TRUE:
Startup completed with error
TRUE:
CP_START_ERROR
O
BOOL
The initialization job could be completed
without error before the monitoring time
elapsed.
The initialization job could not be
completed without error even after the
monitoring time had elapsed.
ERROR_NR
O
Word
Error number
Assignment, see diagnostics
ERROR_INFO
O
Word
Error additional info
Assignment, see diagnostics
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
57
Commissioning the Communications FB
6.5 Program Call
6.5
Program Call
General Information
The MODBUS communications FB for the loadable MODBUS slave driver must be called in
the SIMATIC S7 CPU in the cyclic part.
The communications FB initializes the CP and carries out those MODBUS functions which
the driver cannot carry out itself. The MODBUS slave communications FB must be called in
the user program, even if these function codes are not used by the MODBUS master
system.
Communication between the CP and the FB is carried out via the CPU operating system
functions and the system function block SFB BSEND (CP 441-2) or P_SND_RK and
P_RCV_RK (CP 341) which is called from the FB.
Furthermore, the MODBUS FB (CP 441-2 (FB180) only) reads the error message area
SYSTAT of the CP using SFB STATUS.
Startup, Initialization
After each cold restart or warm restart of the CPU, you must carry out an initialization of the
MODBUS communications FB.
Initialization is activated with a rising edge at input CP_START.
First of all the FB deletes the instance DB, reads operand areas I, Q, M, T, C from the CPU
with SFC51 SZL_READ, and stores them in the instance DB. This enables you to check the
write requirements of the MODBUS master system for area overflow.
The number of the instance DB and the completed initialization sequence is communicated
to the CP by means of a SEND job.
As soon as the SEND job has been completed without error, output CP_START_OK is set
and the FB initialization is complete.
If the SEND job is completed with error, CP_START is reset and CP_START_ERROR is set.
If the initialization was completed with error, MODBUS communication is not possible. All
requests from the MODBUS Master system are answered with an Exception Code message
frame.
Instance DB
All data relevant to the MODBUS FB are located in an instance data block. This DB is also
the instance DB (multi instances) for the used FBs and SFBs and work area for the
MODBUS communications FB. No further data area is required.
The MODBUS FB only uses the instance DB and local data.
Access to the instance DB is permitted only as read-only.
58
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Communications FB
6.5 Program Call
Timeout Initialization
After power on, the CP needs several seconds for hardware and memory checks until it is
ready to run. Initialization attempts of the MODBUS FB during this time are completed with
error. Because of this, the MODBUS FB repeats its initialization job several times during this
timeout.
CP_START_OK is set if the initialization could be completed without error within the
parameterized time START-TIME of the timer START-TIMER. If initialization could not be
completed without error after the monitoring time has elapsed, CP_START_ERROR is set.
Time Value for Read SYSTAT (CP 441-2 only)
As a cyclic read of the SYSTAT area on every PLC cycle or every other PLC cycle would
unnecessarily cause an overload for the CP and the K-Bus and would reduce data
throughput, a time interval can be set for reading the SYSTAT area (only relevant for CP
441-2 (FB180)) .
After the time interval STATUS_TIME in STATUS_TIMER has elapsed, the MODBUS FB
activates the SFB STATUS for reading the SYSTAT area.
I/O Access Errors, Delay Interrupts
The input parameter OB_MASK can be used to instruct the MODBUS FB to mask I/O access
errors. In the event of a write access to non-existent I/Os, the CPU does not go to STOP and
neither does it call the error OB.
The FB detects the access error and the function is terminated with an error message to the
CP. I/O access errors in the event of a write command are masked only if parameter
OB_MASK is = TRUE.
Prior to masking the access errors, all higher priority interrupts are delayed (SFC 14), and
they are re-enabled after write access of the FB and after unmasking the access errors (SFC
42).
This ensures that access errors are recognized by higher priority programs such as time
interrupts or process interrupts in case the FB is interrupted between masking and
unmasking.
Example OB100/101
Segment 1
AN M 180.0
// set CP_START
S M 180.0
// !
A M 180.1
// re-set CP_START_FM
R M 180.1
// !
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
59
Commissioning the Communications FB
6.5 Program Call
Example OB1 for CP 341
Segment 1
CALL FB 80 , DB80
// MODBUS SLAVE CP341 FB
LADDR
:=256
// Base address of the CP
START_TIMER
:=T120
// Timer Timeout initi.
START_TIME
:=S5T#5S
// Time value Timeout
OB_MASK
:=TRUE
// Mask errors
CP_START
:=M180.0
// Start initialization
CP_START_FM
:=M180.1
// Edge trigger memory bit
CP_NDR
:=M180.2
// New write job from CP
CP_START_OK
:=M180.3
// Init. CP-FB without error
CP_START_ERROR
:=M180.4
// Init. CP-FB with error
CP_ERROR_NR
:=MW182
// Error number
CP_ERROR_INFO
:=MW184
// Error additional info
Example OB1 for CP 441-2
Segment 1
CALL FB 180 , DB180
60
// MODBUS SLAVE CP441 FB
ID
:=W#16#1000
// Connection ID
START_TIMER
:=T180
// Timer Timeout initi.
START_TIME
:=S5T#5S
// Time value Timeout
STATUS_TIMER
:=T181
// Timer read SYSTAT
STATUS_TIME
:=S5T#2S
// Time value read SYSTAT
OB_MASK
:=TRUE
// Mask errors
CP_START
:=M180.0
// Start initialization
CP_START_FM
:=M180.1
// Edge trigger memory bit
CP_NDR
:=M180.2
// New write job from CP
CP_START_OK
:=M180.3
// Init. CP-FB without error
CP_START_ERROR
:=M180.4
// Init. CP-FB with error
CP_ERROR_NR
:=MW182
// Error number
CP_ERROR_INFO
:=MW184
// Error additional info
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Commissioning the Communications FB
6.6 Cyclic Operation
6.6
Cyclic Operation
Communications FB
The MODBUS communications FB carries out all necessary SFB calls and processes those
function codes which the CP cannot run itself such as write bit-by-bit to the SIMATIC areas
memory bits and outputs with FC05 or FC15.
SYSTAT Area (CP 441-2 only)
The MODBUS FB180 for the CP 441-2 reads from the SYSTAT area of the CP in a
parameterized time interval and stores the data in the instance DB commencing at DBW 40.
You must program the user-specific error handling in the user program.
Bytes 4 to 15 (events 1 to 6) of SYSTAT are always stored in the instance DB commencing
at DBW 44, providing the error bit (Bit 2.0) has been set in SYSTAT.
Please refer to the chapter "Diagnostics (Page 103)" of this manual and the CP 441-2
manual for a detailed description of the structure of SYSTAT.
Response Times
One FB sequence, one PLC cycle, plus data transfer times CP--->CPU and CPU--->CP are
required to process the write function codes FC 05 and FC 15.
The other functions which are processed by the CP directly only require data transfer times
CP--->CPU or CPU--->CP.
The CP does not send the reply message frame to the master system until after the data
transfer CPU--->CP. In this instance the standard reply monitoring time of 2 sec. can be met.
3URFHVVHGE\
0RGEXV)%
'DWDWUDQVIHU
&3!&38
'DWDWUDQVIHU
&38!&3
5HTXHVW
PHVVDJH
IUDPHUHFHLYHG
IURP0DVWHU
&3VHQGV
UHSO\PHVVDJH
IUDPH
W
The response times depend on the cycle time of the CPU program (MODBUS FB) and the
CPU type (data transfer CPU<-->CP).
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
61
Commissioning the Communications FB
6.6 Cyclic Operation
62
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
CPU-CP interface
7.1
CPU-CP interface for CP 341
7.1.1
General Information
7
MODBUS Communications FB
Data transfer between CP and CPU is carried out by the function blocks P_SND_RK and
P_RCV_RK.
The supplied MODBUS communications FB calls the FBs.
It is not necessary to program any further FB calls in the SIMATIC user program.
Integrating the jobs in the user program
To completely process one individual MODBUS slave job, you will have to open the
MODBUS communication FB FB 80 several times. The data volume you have to write or
read determines how many times you have to open the function block. You accelerate the
data exchange if you open the MODBUS communication FB in the OB1 cycle of the CPU.
Data exchange will take longer when you open the MODBUS communication FB in "slow"
cyclic interrupts.
Module Address
The only remaining task is to specify the module address LADDR at the MODBUS
communications FB.
7.1.2
Data Transfer Length CPU <-> CP
Data Transfer Length
Transfer of data CP <-> CPU is carried out by the function blocks P_SND_RK and
P_RCV_RK.
The length of data transfer depends on the function code (see the chapter "Function codes
(Page 73)").
This means that the MODBUS slave driver replies with an error message frame with
Exception_Code in the event that a MODBUS read or write access is carried out which
exceeds the data lengths specified above .
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
63
CPU-CP interface
7.1 CPU-CP interface for CP 341
7.1.3
Data Consistency
Block Size
Data transfer between CPU and CP is carried out by function blocks P_SND_RK and
P_RCV_RK.
To ensure a stable reaction handling to system interrupts of the S7 automation system, data
transfer between CPU and CP is carried out block-by-block.
The block size for the access to the SIMATIC memory area (data blocks, memory bits,…) is
32 bytes.
Data Consistency
Data consistency during data transmission is given only for the above-listed block size of 32
bytes.
For larger volumes of data, the data is transferred in the listed block size with a time delay
between each block.
Data consistency between the individual blocks cannot be guaranteed because the data may
be processed by the user program at the same time.
Access to the CPU memory is carried out while the user program is running whenever the
P_RCV_PK is passed.
MODBUS Slave
This means the following for the driver MODBUS slave:
If data consistency is required when reading/writing registers or bits, the volume of data
transferred by a single message frame must be limited to the above-mentioned block size:
for example, a maximum of 16 registers with FC 03, 04 and 16 or a maximum of 256 bits
with FC 01, 02 and 15.
If required, it is possible to ensure consistent processing of related data areas by means of
appropriate coordination mechanisms at user program level.
64
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
CPU-CP interface
7.2 CPU-CP Interface for CP 441-2
7.2
CPU-CP Interface for CP 441-2
7.2.1
General Information
MODBUS Communications FB
Data transfer between CP and CPU is carried out by the integrated system functions PUT
and GET and the SFBs BSEND and STATUS.
The supplied MODBUS communications FB calls the SFBs BSEND and STATUS.
PUT and GET are operating system functions which run in the background program of the
CPU, independently of the user program.
It is not necessary to program any further SFB calls in the SIMATIC user program.
Communications Link
The only remaining task is to specify the Connection ID from the link configuration at the
MODBUS communications FB.
The Parameter ID describes the unique communication link to a communication partner.
7.2.2
Data Transfer Length CPU <-> CP
Data Transfer Length
Transfer of data CP <-> CPU is carried out by the system functions PUT and GET.
The length of data transfer depends on the CPU type: (see also Reference Manual "System
and Standard Functions").
System function
S7-400
PUT / GET
450 bytes
This means that the MODBUS slave driver replies with an error message frame with
Exception_Code in the event that a MODBUS read or write access is carried out which
exceeds the data lengths specified above .
The table below shows the maximum amount of data.
S7-400
MODBUS function code
Maximum number of registers
01, 02
03, 04, 16
2040
127
15
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Maximum number of bits
2040
65
CPU-CP interface
7.2 CPU-CP Interface for CP 441-2
7.2.3
Data Consistency
Block Size
Data transfer between CP and CPU is carried out by the integrated system functions PUT
and GET.
To ensure a stable reaction handling to system interrupts of the S7 automation system, data
transfer between CPU and CP is carried out block-by-block.
The block size for the access to the SIMATIC memory area (data blocks, memory bits,…) is
32 bytes.
Data Consistency
As the access to the CPU memory area by the utilities PUT and GET is carried out
asynchronous to the STEP 7 application program, data consistency during data transmission
is given only for the above-mentioned block sizes.
For larger volumes of data, the data is transferred in the listed block size with a time delay
between each block.
Data consistency between the individual blocks cannot be guaranteed because the data may
be processed by the user program at the same time.
Please note furthermore that access to the CPU memory can be carried out at any time
while the user program is running because the integrated system functions PUT and GET
run in the background program of the CPU.
This system response specific to the S7 CPUs is described in the Reference Manual
“System and Standard Functions” in chapters 17 and 18 (Data Consistency) (see also
Further Sources of Information in the preface of this manual).
MODBUS Slave
This means the following for the driver MODBUS slave:
If data consistency is required when reading/writing registers or bits, the volume of data
transferred by a single message frame must be limited to the above-mentioned block size:
for example, for S7-400: a maximum of 16 registers with FC 03, 04 and 16 or a maximum of
256 bits with FC 01, 02 and 15.
You should also note that the read and write access of the MODBUS function codes may be
carried out at any time within the user program.
If required, it is possible to ensure consistent processing of related data areas by means of
appropriate coordination mechanisms at user program level.
66
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
8
Transmission Protocol
General Information
The procedure used is a code-transparent, asynchronous half-duplex procedure.
Data transfer is carried out without handshake.
Master-Slave Relationship
The MODBUS master system initiates transmission, and after outputting a request message
frame it waits for a reply message frame from the slave. Message frame exchange from
slave to slave is not possible.
Message frame structure
The data exchange "Master-Slave" and/or "Slave-Master" begins with the slave address,
followed by the function code. Then the data are transferred. The structure of the data field
depends on the function code used. The CRC check is transmitted at the end of the
message frame.
ADDRESS
FUNCTION
DATA
CRC-CHECK
Byte
Byte
n byte
2 byte
ADDRESS
MODBUS slave address
FUNCTION
MODBUS function code
DATA
Message frame data: Byte_Count, Coil_Number, Data
CRC-CHECK
Message frame checksum
Slave Address
The slave address can be within the range 1 to 255. The address is used to address a
defined slave on the bus.
Broadcast Message
The master uses slave address 0 to address all slaves on the bus.
Broadcast messages are only permitted in conjunction with writing Function codes 05, 06, 15
and 16.
A broadcast message is not followed by a reply message frame from the slave.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
67
Transmission Protocol
Function code
The function code defines the meaning of the message frame. It also defines the structure of
the message frame.
The following function codes are supported by the CP:
Function code
Function in accordance with MODBUS specification
01
Read Coil Status
02
Read Input Status
03
Read Holding Registers
04
Read Input Registers
05
Force Single Coil
06
Preset Single Register
08
Loop Back Test
15
Force Multiple Coils
16
Preset Multiple Registers
Data Field DATA
The data field DATA is used to transfer the function code-specific data such as:
● Bytecount,
● Coil_Startaddress,
● Register_Startaddress;
● Number_of_Coils,
● Number_of_Registers, ... .
For information see section "Function Codes (Page 73)".
CRC-Check
The end of the message frame is identified by means of the CRC 16 checksum consisting of
2 bytes. It is calculated by the following polynominal: x16 + x15 + x2 + 1.
The low byte is transferred first, followed by the high byte.
68
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Transmission Protocol
End of Message Frame
The driver recognizes the end of the message frame when no transmission takes place
during the time period required for the transmission of three and a half characters (3.5 times
character delay time) (see MODBUS Protocol Reference Guide).
This message frame end TIME_OUT is therefore dependent on the transmission rate.
Baud rate
TIME_OUT
76800 baud
0.5 ms
38400 baud
1 ms
19200 baud
2 ms
9600 baud
4 ms
4800 baud
8 ms
2400 baud
16 ms
1200 baud
32 ms
600 baud
64 ms
300 baud
128 ms
During "Normal operation" the Modbus message frame received by the link partner is
evaluated and format checked after the end of frame for TIME_OUTs is received.
During "Interference supression" the end of frame is recognized by correctly formatted
receive frame with a correct CRC code.
Exception Responses
On recognition of an error in the request message frame from the master, for example,
register address illegal, the slave sets the highest value bit in the function code of the reply
message frame.
This is followed by transmission of one byte of error code (Exception Code), which describes
the reason for the error.
Exception Code Message Frame
The error code reply message frame from the slave has the following structure:
for example, slave address 5, function code 5, exception code 02
Response message frame from the slave EXCEPTION_CODE_xx:
05H
Slave address
85H
Function code
02H
Exception Code (1..4)
xxH
CRC Check Code "Low"
xxH
CRC Check Code "High"
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
69
Transmission Protocol
The following error codes are sent by the CP:
Exception
code
Meaning in accordance with
MODBUS Specification
Cause
01
Illegal Function
Illegal function code received.
02
Illegal Data Address
Access to a SIMATIC area which is not enabled (see
parameter assignment - areas, limitation)
03
Illegal Data Value
Length greater 2040 bits or 127 registers,
data field not FF00 or 0000 for FC05,
diagnostics subcode <> 0000 for FC08.
04
Failure in Associated Device
Initialization by MODBUS communications FB not
yet carried out, or FB reports error,
Error during data transfer CP<->CPU
(for example, DB does not exist, maximum
transferable data length exceeded (block size
CPU<->CP) ).
RS 232C Secondary Signals
The following RS 232C secondary signals exist on the CP when the RS 232C interface
submodule is used:
DCD
Data carrier detect
DTR
Data terminal ready
DSR
Data set ready
(input)
Data carrier detected
(output)
CP ready for operation
(input)
Communication partner ready for operation
RTS
Request to send
(output)
CP ready to send
CTS
Clear to send
(input)
Communication partner can receive data from the
CP. (Response to RTS = ON of the CP)
RI
Ring indicator
(input)
Indication of an incoming call
When the CP 441 is switched on, the output signals are in the OFF state (inactive).
You can parameterize the way in which the DTR/DSR and RTS/CTS control signals are
used with the parameterization interface Assigning Parameters to Point-To-Point
Connections or control them by means of function calls (FBs) in the user program.
70
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Transmission Protocol
Using the RS 232C Secondary Signals
The RS 232C secondary signals can be used as follows:
● When the automatic use of all RS 232C secondary signals is parameterized
● By means of the FB V24_STAT and FB V24_SET functions
Note
When automatic use of the RS 232C secondary signals is parameterized, neither RTS/CTS
data flow control nor RTS and DTR control by means of the V24_SET FB are possible!
On the other hand, it is always possible to read all RS 232C secondary signals by means of
the FB V24_STAT function.
The sections that follow describe how the control and evaluation of the RS 232C secondary
signals are handled.
Automatic Use of the Secondary Signals
The automatic use of the RS 232C secondary signals on the CP is implemented as follows:
● As soon as the CP is switched by means of parameterization to an operating mode with
automatic use of the RS 232C secondary signals, it switches the RTS line to OFF and the
DTR line to ON (CP ready for use).
● Message frames cannot be sent and received until the DTR line is set to ON. As long as
DTR remains set to OFF, no data is received via the RS 232C interface. If a send request
is made, it is aborted with a corresponding error message.
● When a send request is made, RTS is set to ON and the parameterized data output
waiting time starts. When the data output time has elapsed, and CTS = ON, the data is
sent via the RS 232C interface.
● If the CTS line is not set to ON within the data output time so that data can be sent, or if
CTS changes to OFF during transmission, the send request is aborted and an error
message generated.
● After the data is sent, the RTS line is set to OFF after the parameterized time to RTS OFF
has elapsed. The CP340 does not wait for CTS to change to OFF.
● Data can be received via the RS 232C interface as soon as the DSR line is set to ON. If
the receive buffer of the CP threatens to overflow, the CP does not respond.
● An active send request or data receipt is aborted with an error message if DSR changes
from ON to OFF. The message "DSR = OFF (automatic use of V24 signals)" is entered in
the diagnostics buffer of the CP.
Note
Automatic use of the RS 232C secondary signals is only possible in half-duplex mode. When
automatic use of the RS 232C secondary signals has been set, neither RTS/CTS data flow
control nor RTS and DTR control by means of the FB 24_SET are not possible.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
71
Transmission Protocol
Time Diagram
The following figure illustrates the chronological sequence of a send request.
576
&76
21
2))
21
2))
7;'
5HTXHVWWRVHQG
576 21
3DUWQHU
&76 21
'DWDRXWSXWZDLWWLPH
H[SLUHG6HQG
'DWDRXWSXWZDLW
WLPH
Figure 8-1
72
W
6HQGLQJ
WHUPLQDWHG
7LPHWR
576
3DUWQHU
&76 2))
7LPHWR576
RII
Time diagram for automatic use of the RS 232C secondary signals
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
9
Function Codes
Used function codes
The following MODBUS function codes are supported by the driver:
Function code
Function in
accordance with
MODBUS
specification
Function in SIMATIC S7
01
Read coil status
Read bit-by-bit
Memory bits M
Read bit-by-bit
Outputs Q
Read bit-by-bit
(16 bit interval)
Timers T
Read bit-by-bit
(16 bit interval)
Counters C
02
Read input status
Read bit-by-bit
Memory bits M
Read bit-by-bit
Inputs I
03
Read holding
registers
Read word-by-word
Data block DB
04
Read input registers
Read word-by-word
Data block DB
05
Force single coil
Write bit-by-bit
Memory bits M
06
Preset single register Write word-by-word
Data block DB
08
Loop back test
-
-
15
Force multiple coils
Write bit-by-bit
(1...2040 bits)
Memory bits M
Write bit-by-bit
(1...2040 bits)
Outputs Q
Write word-by-word
(1...127 registers)
Data block DB
Write bit-by-bit
16
Preset multiple
(holding) registers
Outputs Q
Note
All MODBUS addresses listed below refer to the transmission message frame level and not
to the user level in the MODBUS master system.
This means that the MODBUS addresses in the transmission message frames begin with
0000 Hex.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
73
Function Codes
Note
The MODBUS slave driver supports a maximum data block length of 512 data words in all
the function codes which access the SIMATIC range "data block DB" (FC 03, 04, 06 and16).
When converting addresses from MODBUS to SIMATIC addresses, a "direct transition" from
one DB number to the subsequent DB number within a MODBUS master request message
frame is not possible. The MODBUS slave replies to this request message frame with an
exception code message frame and outputs "0E 39" (error while accessing the SIMATIC
range "Data block") to the diagnostic buffer.
For example, the DBX word address 510 with a length >2 cannot be output because the
address for Register no. >2 (e.g. Register 3) would automatically mean word address 0 in
DBX+1.
74
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.1 Function Code 01 – Read Coil (Output) Status
9.1
Function Code 01 – Read Coil (Output) Status
Function
This function enables the MODBUS master system to read individual bits from the SIMATIC
memory areas listed below.
Request Message Frame
ADDR
FUNC
start_address
bit_number
CRC
FUNC
Byte_count n
n byte DATA
CRC
Reply Message Frame
ADDR
start_address
The MODBUS bit address "start_address" is interpreted by the driver as follows:
The driver checks that “start_address” is located within one of the areas which were
specified during parameter assignment in the dialog box "Conversion of MODBUS
Addressing for FC 01, 05, 15" (from/to: memory bits, outputs, timers, counters).
If the MODBUS bit address start_address is
located in one of these areas,
access is made to this SIMATIC memory area
From aaaaa to bbbbb
commence at memory
bit
M uuuuu.0
From ccccc to ddddd
commence at output
Q ooooo.0
From eeeee to fffff
commence at timer
T ttttt
From ggggg to hhhhh
commence at counter
C zzzzz
The address calculation for access (address conversion) is carried out as follows:
Access beginning
with SIMATIC
Conversion formula
Memory byte
((start_address
=
– aaaaa) / 8)
/ 8)
+ uuuuu
Output byte
=
((start_address
– ccccc)
Timer
=
((start_address
– eeeee) / 16)
+ ttttt
+ ooooo
Counter
=
((start_address
– ggggg) / 16)
+ zzzzz
Access to “memory bits” and “outputs”
When accessing SIMATIC areas “Memory bits” and “Outputs,” the remaining Rest
Bit_Number is calculated and used to address the relevant bit within the first / last memory or
output byte.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
75
Function Codes
9.1 Function Code 01 – Read Coil (Output) Status
Access to "timers" and "counters"
With the address calculation, it must be possible to divide the result by 16 without having a
left over value:
● (start_address - eeeee)
● (start_address - ggggg)
Only access word-by-word starting from word limit is possible.
bit_number
Values between 1 and 2040 are permitted as the bit_number, number of coils. This number
of bits is read.
Access to "timers" and "counters"
When accessing SIMATIC areas “Timers” and “Counters,” it must be possible to divide the
"bit_number" by 16 (access word-by-word only).
Please note that a maximum of 16 “timers” and/or “counters” can be read if you are using the
CP 341.
Note
Please note the CPU-specific limitations as described in the chapter "CPU-CP Interface
(Page 63)".
Application Example
Example of parameter assignment:
Table 9- 1
Conversion of MODBUS addressing for function codes FC 01, 05 and 15
MODBUS address in
transmission message frame
SIMATIC memory area
From 0 to 2047
commence at memory bit
M 1000.0
From 2048 to 2559
commence at output
Q 256.0
From 4096 to 4607
commence at timer
T 100
From 4608 to 5119
commence at counter
C 200
Request message frame FUNCTION 01:
76
05H
Slave address ADDR
01H
Function code FUNC
00H
start_address "High"
40H
start_address "Low"
00H
bit_number "High"
20H
bit_number "Low"
xxH
CRC Check Code “Low”
xxH
CRC Check Code “High”
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.1 Function Code 01 – Read Coil (Output) Status
Reply message frame FUNCTION 01:
05H
Slave address ADDR
01H
Function code FUNC
04H
Byte_count
01H
<DATA 1> M 1008.0 - M 1008.7
17H
<DATA 2> M 1009.0 - M 1009.7
02H
<DATA 3> M 1010.0 - M 1010.7
18H
<DATA 4> M 1011.0 - M 1011.7
xxH
CRC Check Code “Low”
xxH
CRC Check Code “High”
Address calculation:
The MODBUS address “start_address” 0040 Hex (64 decimal) is located in the “memory bit”
area:
Memory byte
=
((start_address - aaaaa) / 8)
+ uuuuu
=
((64
+ 1000
=
1008 ;
- 0)
/ 8)
The remaining rest bit_number has the following result:
Rest bit_no.
=
((start_address - aaaaa) % 8) [Modulo 8]
=
((64
=
0;
- 0)
% 8)
Access is made starting from bit M 1008.0 up to and including M 1011.7.
Number of bits:
The number of MODBUS bits "bit_number" 0020 Hex (32 decimal) means that 32 bits = 4
bytes are to be read.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
77
Function Codes
9.1 Function Code 01 – Read Coil (Output) Status
Further Examples
Some other access examples are listed in the table below.
All examples are based on the above area specification.
78
start_address
Access in SIMATIC beginning
->
with
Hex
decimal
(decimal)
0000
0
Memory bit
((0
- 0)
/ 8)
0021
33
Memory bit
((33
- 0)
/ 8)
+ 1000
->
M 1000.0
+ 1000
->
M 1004.1
0400
1024
Memory bit
((1024
- 0)
/ 8)
+ 1000
->
M 1128.0
0606
1542
Memory bit
((1542
- 0)
/ 8)
+ 1000
->
M 1192.6
0840
2112
Output
((2112
- 2048)
/ 8)
+ 256
->
Q 264.0
09E4
2532
Output
((2532
- 2048)
/ 8)
+ 256
->
Q 316.4
1010
4112
Timers
((4112
- 4096)
/ 16)
+ 100
->
T 101
10C0
4288
Timers
((4288
- 4096)
/ 16)
+ 100
->
T 112
1200
4608
Counters
((4608
- 4608)
/ 16)
+ 200
->
C 200
13E0
5088
Counters
((5088
- 4608)
/ 16)
+ 200
->
C 230
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.2 Function code 02 - Read Input Status
9.2
Function code 02 - Read Input Status
Function
This function enables the MODBUS master system to read individual bits from the SIMATIC
memory areas listed below.
Request message frame
ADDR
FUNC
start_address
bit_number
CRC
FUNC
Byte_count n
n byte DATA
CRC
Reply Message Frame
ADDR
start_address
The MODBUS bit address "start_address" is interpreted by the driver as follows:
The driver checks that "start_address" is located within one of the areas which were entered
during parameter assignment in the dialog box "Conversion of MODBUS Addressing for FC
02" (from/to: memory bits, inputs).
If the MODBUS bit address is located in area
start_address ,
SIMATIC memory area is accessed
from kkkkk to lllll
commence at memory
bit
M vvvvv.0
from nnnnn to rrrrr
from input
I sssss.0
The address calculation for access, address conversion, is carried out as follows:
Access beginning
with SIMATIC
Conversion formula
Memory byte
=
((start_address – kkkkk)
/ 8)
+ vvvvv
Input byte
=
((start_address – nnnnn) / 8)
+ sssss
Access to “memory bits” and “inputs”
When accessing SIMATIC areas “Memory bits” and “Inputs,” the remaining rest bit_number
is calculated and used to address the relevant bit within the first / last memory or input byte.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
79
Function Codes
9.2 Function code 02 - Read Input Status
bit_number
Any value between 1 and 2040 is permitted as the bit_number, number of coils. This number
of bits is read.
Note
Please note the CPU-specific limitations as described in the chapter "CPU-CP Interface
(Page 63)".
Application Example
Example of parameter assignment:
Table 9- 2
Conversion of MODBUS addressing for function code FC 02
MODBUS address in
transmission message frame
SIMATIC memory area
from 0 to 4095
commence at memory bit
M 2000.0
from 4096 to 5119
commence at input
I 128.0
Request message frame FUNCTION 02:
05H
Slave address ADDR
02H
Function code FUNC
10H
start_address "High"
30H
start_address "Low"
00H
bit_number "High"
18H
bit_number "Low"
xxH
CRC Check Code “Low”
xxH
CRC Check Code "High"
Reply message frame FUNCTION 02:
80
05H
Slave address ADDR
02H
Function code FUNC
03H
Byte_count
12H
<DATA 1> I 134.0 - I 134.7
34H
<DATA 2> I 135.0 - I 135.7
56H
<DATA 3> I 136.0 - I 136.7
xxH
CRC Check Code “Low”
xxH
CRC Check Code "High"
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.2 Function code 02 - Read Input Status
Address calculation:
The MODBUS address "start_address" 1030 Hex (4144 decimal) is located in the "Inputs"
area:
Input byte
=
((start_address - nnnnn) / 8)
=
((4144
=
134 ;
- 4096)
+ sssss
+ 128
/ 8)
The remaining rest bit_number has the following result:
Rest bit_no.
=
((start_address - nnnnn) % 8) [Modulo 8]
=
((4144
=
0;
- 4096)
% 8)
Inputs I 134.0 up to and including I 136.7 are accessed.
Number of bits:
The number of MODBUS bits "bit_number" 0018 Hex (24 decimal) means that 24 bits =
3 bytes are to be read.
Further Examples
Some other access examples are listed in the table below.
All examples are based on the above area specification.
start_address
Access in SIMATIC beginning
Hex
Dezimal
(decimal)
0000
0
Memory bit
((0
- 0)
/ 8)
0071
113
Memory bit
((113
- 0)
/ 8)
->
with
+ 2000
->
M 2000.0
+ 2000
->
M 2014.1
0800
2048
Memory bit
((2048
- 0)
/ 8)
+ 2000
->
M 2256.0
0D05
3333
Memory bit
((3333
- 0)
/ 8)
+ 2000
->
M 2416.5
1000
4096
Input
((4096
- 4096)
/ 8)
+ 128
->
I 128.0
10A4
4260
Input
((4260
- 4096)
/ 8)
+ 128
->
I 148.4
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
81
Function Codes
9.3 Function Code 03 - Read Output Registers
9.3
Function Code 03 - Read Output Registers
Function
This function enables the MODBUS master system to read data words from a data block
Request Message Frame
ADDR
FUNC
start_register
register_number
CRC
FUNC
Byte_count n
n/2 register DATA (High, Low)
CRC
Reply Message Frame
ADDR
start_register
The MODBUS register address "start_register" is interpreted by the driver as follows:
0RGEXVUHJLVWHUQXPEHU VWDUWBUHJLVWHU
VWDUWBUHJLVWHURIIVHWB'%BQR
%LW
VWDUWBUHJLVWHUZRUGQR
For further address generation, the driver uses the “base DB number” (commencing at DB
xxxxx) entered in the dialog box "Conversion of MODBUS Addressing for FC 03, 06, 16"
during parameter assignment.
The address calculation for access, address conversion, is carried out as follows:
Access to SIMATIC
Conversion formula
Data block DB
(resulting DB)
=
(base DB number xxxxx + start_register offset_DB_No.)
Data word DBW
=
(start_register word_No. ∗ 2)
Calculation Formula for start_register
Providing the resulting DB to be read is known, the MODBUS address start_register required
in the master system can be calculated in accordance with the following formula:
start_register
=
((resulting DB – base DB number) * 512) + (data word_DBW / 2)
This is based on even numbered data word numbers only.
82
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.3 Function Code 03 - Read Output Registers
register_number
Any value between 1 and 127 is permitted as the register _number, number of registers. This
number of registers is read. Please observe the following rule:
(register_number)max
=
512 - start_register
Note
Please note the CPU-specific limitations as described in the chapter "CPU-CP Interface
(Page 63)".
Application Example
Example of parameter assignment:
Table 9- 3
Conversion of MODBUS addressing for function codes FC 03, 06 and 16
MODBUS address in
transmission message frame
SIMATIC memory area
0
commence at data block
(base DB number)
DB 800
Request message frame FUNCTION 03:
05H
Slave address ADDR
03H
Function code FUNC
00H
start_register "High"
50H
start_register "Low
00H
register_number "High"
02H
register_number "Low"
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Reply message frame FUNCTION 03:
05H
Slave address ADDR
03H
Function code FUNC
04H
Byte_count
87H
<DATA 1> DBW 160 "High"
65H
<DATA 2> DBW 160 "Low"
43H
<DATA 3> DBW 161 "High"
21H
<DATA 4> DBW 161 "Low"
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
83
Function Codes
9.3 Function Code 03 - Read Output Registers
Address calculation:
The MODBUS address "start_register" 0050 Hex (80 decimal) is interpreted as follows:
0RGEXVUHJLVWHUQXPEHU VWDUWBUHJLVWHU +H[
%LW
VWDUWBUHJLVWHUZRUGQR
+H[ GHFLPDO
VWDUWBUHJLVWHURIIVHWB'%BQR
+H[ GHFLPDO
'DWDEORFN'%
UHVXOWLQJ'%
EDVH'%QXPEHU[[[[
VWDUWBUHJLVWHURIIVHWB'%BQR
'DWDZRUG'%:
VWDUWBUHJLVWHUZRUGB1R
Access is made to DB 800, data word DBW 160.
Number of registers:
The number of MODBUS registers "register_number" 0002 Hex (2 decimal) means that
2 registers = 2 data words are read.
Further Examples
Some other access examples are listed in the table below.
start_register
84
start_register
Base DB
no.
Offset
DB_no.
Word number
Resulting DB
DBW
Hex
decimal
decimal
decimal
Hex
decimal
decimal
decimal
0000
0
800
0
000
0
800
0
01F4
500
800
0
1F4
500
800
1000
0200
512
800
1
000
0
801
0
02FF
767
800
1
0FF
255
801
510
0300
768
800
1
100
256
801
512
03FF
1023
800
1
1FF
511
801
1022
0400
1024
800
2
000
0
802
0
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.4 Function code 04 - Read Input Registers
9.4
Function code 04 - Read Input Registers
Function
This function enables the MODBUS master system to read data words from a data block.
Request Message Frame
ADDR
FUNC
start_register
register_number
CRC
FUNC
Byte_count n
n/2 register DATA (High, Low)
CRC
Reply Message Frame
ADDR
start_register
The MODBUS register address "start_register" is interpreted by the driver as follows:
0RGEXVUHJLVWHUQXPEHU VWDUWBUHJLVWHU
VWDUWBUHJLVWHURIIVHWB'%BQR
%LW
VWDUWBUHJLVWHUZRUGQR
For further address generation, the driver uses the “base DB number” (commencing at DB
xxxxx) specified in the dialog box "Conversion of MODBUS addressing for FC4".
The address calculation for access, address conversion, is carried out in two steps as
follows:
Access to SIMATIC
Conversion formula
Data block DB
(resulting DB)
=
(base DB number xxxxx + start_register-offset_DB_no.)
Data word DBW
=
(start_register word_No. ∗ 2)
Calculation Formula for start_register
Providing the resulting DB to be read is known, the MODBUS address start_register required
in the master system can be calculated in accordance with the following formula:
start_register
=
((resulting DB – base DB number) * 512) + (data word_DBW / 2)
Only even numbered data word numbers are permissible.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
85
Function Codes
9.4 Function code 04 - Read Input Registers
register_number
Any value between 1 and 127 is permitted as the register _number, number of registers. This
number of registers is read. Please observe the following rule:
(register_number)max
=
512 - start_register
Note
Please note the CPU-specific limitations as described in the chapter "CPU-CP Interface
(Page 63)".
Application Example
Example of parameter assignment:
Table 9- 4
Conversion of MODBUS addressing for function code FC 04
MODBUS address in
transmission message frame
SIMATIC memory area
0
commence at data block
(base DB number)
DB 900
Request message frame FUNCTION 04:
86
05H
Slave address ADDR
04H
Function code FUNC
02H
start_register "High"
C0H
start_register "Low
00H
register_number "High"
03H
register_number "Low"
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.4 Function code 04 - Read Input Registers
Reply message frame FUNCTION 04:
05H
Slave address ADDR
04H
Function code FUNC
06H
Byte_count
A1H
<DATA 1> DBW 384 "High"
A2H
<DATA 2> DBW 384 "Low"
A3H
<DATA 3> DBW 385 "High"
A4H
<DATA 4> DBW 385 "Low"
A5H
<DATA 5> DBW 386 "High"
A6H
<DATA 6> DBW 386 "Low"
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Address Calculation:
The MODBUS address "start_register" 02C0 Hex (704 decimal) is interpreted as follows:
0RGEXVUHJLVWHUQXPEHU VWDUWBUHJLVWHU &+H[
VWDUWBUHJLVWHURIIVHWB'%BQR
+H[ GHFLPDO
%LW
VWDUWBUHJLVWHUZRUGQR
&+H[ GHFLPDO
'DWDEORFN'%
UHVXOWLQJ'%
EDVH'%QXPEHU[[[[
VWDUWBUHJLVWHURIIVHWB'%BQR
'DWDZRUG'%:
VWDUWBUHJLVWHUZRUGB1R
Access is made to DB 901, data word DBW 384.
Number of registers:
The number of MODBUS registers "register_number" 0003 Hex (3 decimal) means that
3 registers = 3 data words are read.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
87
Function Codes
9.4 Function code 04 - Read Input Registers
Further examples
Some other access examples are listed in the table below.
start_register
88
start_register
Base DB
no.
Offset
DB_no.
Word number
Resulting DB
DBW
Hex
decimal
decimal
decimal
Hex
decimal
decimal
decimal
0000
0
900
0
000
0
900
0
0064
100
900
0
064
100
900
200
00C8
200
900
0
0C8
200
900
400
0190
400
900
0
190
400
900
800
1400
5120
900
10
000
0
910
0
1464
5220
900
10
064
100
910
200
14C8
5320
900
10
0C8
200
910
400
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.5 Function Code 05 - Force Single Coil
9.5
Function Code 05 - Force Single Coil
Function
This function enables the MODBUS master system to write a bit into the SIMATIC memory
of the CPU as listed below.
Request Message Frame
ADDR
FUNC
coil_address
DATA on/off
CRC
FUNC
coil_address
DATA on/off
CRC
Reply Message Frame
ADDR
coil_address
The MODBUS bit address "coil_address" is interpreted by the driver as follows:
The driver checks whether "coil_address" is located within one of the areas which were
entered during parameter assignment in the dialog box "Conversion of MODBUS Addressing
for FC 01, 05, 15" (from/to: memory bits, outputs, timers, counters).
If the
MODBUS bit address
coil_address
is located in the area
the
SIMATIC memory area is accessed
from aaaaa to bbbbb
commence at
memory bit
M uuuuu.0
from ccccc to ddddd
commence at output
Q ooooo.0
The address calculation for access (address conversion) is carried out as follows:
Access beginning with
SIMATIC
Conversion formula
Memory byte
=
((coil_address
- aaaaa)
/ 8)
+ uuuuu
Output byte
=
((coil_address
- ccccc)
/ 8)
+ ooooo
Access to “memory bits” and “outputs”
When accessing the SIMATIC areas "memory bits" and "outputs", the remaining rest
bit_number is calculated and used to address the relevant bit within the memory or output
byte.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
89
Function Codes
9.5 Function Code 05 - Force Single Coil
Access to "timers" and "counters"
Access to the SIMATIC timers and counters areas is not permitted with function code FC 05
and is rejected by the driver with an error message frame.
DATA on/off
The following two values are permitted as DATA-on/off:
● FF00H -> Set bit.
● 0000H -> Delete bit.
Application Example
Example of parameter assignment:
Table 9- 5
Conversion of MODBUS addressing for function codes FC 01, 05, 15
MODBUS address in
transmission message frame
SIMATIC memory area
from 0 to 2047
commence at memory bit
M 1000.0
from 2048 to 2559
commence at output
Q 256.0
Request message frame FUNCTION 05:
05H
Slave address ADDR
05H
Function code FUNC
08H
coil_address "High"
09H
coil_address "Low" A257.1
FFH
DATA on/off "High"
00H
DATA on/off "Low"
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Reply message frame FUNCTION 05:
90
05H
Slave address ADDR
05H
Function code FUNC
08H
coil_address "High"
09H
coil_address "Low" A257.1
FFH
DATA on/off "High"
00H
DATA on/off "Low"
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.5 Function Code 05 - Force Single Coil
Address Calculation:
The MODBUS address "coil_address" 0809 Hex (2057 decimal) is located in the "outputs"
area:
Output byte
= ((coil_address
- ccccc)
/ 8)
+ ooooo
= ((2057
- 2048)
/ 8)
+ 256
=
257 ;
The remaining rest bit_number has the following result:
Rest bit_no.
= ((coil_address
- ccccc)
% 8)
= ((2057
- 2048)
% 8)
=
[Modulo 8]
1;
Output Q 257.1 is accessed.
Further Examples
For further examples of access to memory bits and outputs, refer to FC 01.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
91
Function Codes
9.6 Function code 06 - Preset Single Register
9.6
Function code 06 - Preset Single Register
Function
This function enables the MODBUS master system to write a data word in a data block of the
CPU.
Request Message Frame
ADDR
FUNC
start_register
DATA value (High, Low)
CRC
FUNC
start_register
DATA value (High, Low)
CRC
Reply Message Frame
ADDR
start_register
The MODBUS register address "start_register" is interpreted by the driver as follows:
0RGEXVUHJLVWHUQXPEHU VWDUWBUHJLVWHU
VWDUWBUHJLVWHURIIVHWB'%BQR
%LW
VWDUWBUHJLVWHUZRUGQR
For further address generation, the driver uses the "base DB number" commencing at DB
xxxxx entered in the dialog box "Conversion of MODBUS Addressing for FC 03, 06, 16"
during parameter assignment .
The address calculation for access, address conversion, is carried out in two steps as
follows:
Access to
SIMATIC
Conversion formula
Data block DB
(resulting DB)
=
(base DB number xxxxx + start_register-offset_DB_no.)
Data word DBW
=
(start_register word_No.
∗ 2)
Calculation Formula for start_register
Providing the resulting DB to be written is known, the MODBUS address start_register
required in the master system can be calculated in accordance with the following formula:
start_register
=
((resulting DB – base DB number) * 512) + (data word_DBW / 2)
Only even numbered data word numbers are permissible.
92
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.6 Function code 06 - Preset Single Register
DATA Value
Any value can be used as the DATA value, register value.
Application Example
Example of parameter assignment:
Table 9- 6
Conversion of MODBUS addressing for function codes FC 03, 06 and 16
MODBUS address in
transmission message frame
SIMATIC memory area
0
commence at data block
(base DB number)
DB 800
Request message frame FUNCTION 06:
05H
Slave address ADDR
06H
Function code FUNC
01H
start_register "High"
80H
start_register "Low" DBW 768
2BH
DATA value "High"
1AH
DATA value "Low"
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Reply message frame FUNCTION 06:
05H
Slave address ADDR
06H
Function code FUNC
01H
start_register "High"
80H
start_register "Low" DBW 768
2BH
DATA value "High"
1AH
DATA value "Low"
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
93
Function Codes
9.6 Function code 06 - Preset Single Register
Address Calculation:
The MODBUS address "start_register" 0180 Hex (384 decimal) is interpreted as follows:
0RGEXVUHJLVWHUQXPEHU VWDUWBUHJLVWHU +H[
VWDUWBUHJLVWHURIIVHWB'%BQR
+H[ GHFLPDO
%LW
VWDUWBUHJLVWHUZRUGQR
+H[ GHFLPDO
'DWDEORFN'%
UHVXOWLQJ'%
EDVH'%QXPEHU[[[[
VWDUWBUHJLVWHURIIVHWB'%BQR
'DWDZRUG'%:
VWDUWBUHJLVWHUZRUGB1R
Access is made to DB 800, data word DBW 768.
Further examples
For further access examples, please refer to FC 03.
94
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.7 Function code 08 - Loop back Diagnostic Test
9.7
Function code 08 - Loop back Diagnostic Test
Function
This function is used to check the communications connection.
It has no effect on the S7 CPU, the user programs or user data. The received message
frame is returned to the master system by the driver independently.
Request Message Frame
ADDR
FUNC
Diagnostic code (High,Low)
Test data
CRC
FUNC
Diagnostic code (High,Low)
Test data
CRC
Reply Message Frame
ADDR
Diagnostic Code
Only Diagnostic Code 0000 is supported!
Test Data
Any 16-bit value.
Application Example
Request message frame FUNCTION 08:
05H
Slave address ADDR
08H
Function code FUNC
00H
Diagnostic code "High"
00H
Diagnostic code "Low"
A5H
Test value "High"
C3H
Test value "Low"
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
95
Function Codes
9.7 Function code 08 - Loop back Diagnostic Test
Reply message frame FUNCTION 08:
96
05H
Slave address ADDR
08H
Function code FUNC
00H
Diagnostic code "High"
00H
Diagnostic code "Low"
A5H
Test value "High"
C3H
Test value "Low"
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.8 Function code 15 - Force Multiple Coils
9.8
Function code 15 - Force Multiple Coils
Function
This function enables the MODBUS master system to write several bits to the SIMATIC
memory areas listed below.
Request Message Frame
ADDR
FUNC
start_address
quantity
byte_count n
n DATA
CRC
Reply Message Frame
ADDR
FUNC
start_address
quantity
CRC
start_address
The MODBUS bit address "start_address" is interpreted by the driver as follows:
The driver checks whether “start_address” is located within one of the areas which were
entered during parameter assignment in the dialog box "Conversion of MODBUS Addressing
for FC 01, 05, 15" (from/to: memory bits, outputs, timers, counters).
If the MODBUS bit address is located in area
start_address,
SIMATIC memory area is accessed
from aaaaa to bbbbb
commence at
memory bit
M uuuuu.0
from ccccc to ddddd
commence at output
Q ooooo.0
The address calculation for access, address conversion, is carried out as follows:
Access beginning with
SIMATIC
Conversion formula
Memory byte
=
((start_address - aaaaa) / 8)
+ uuuuu
Output byte
=
((start_address - ccccc)
+ ooooo
/ 8)
Access to “memory bits” and “outputs”
When accessing the SIMATIC areas "memory bits" and "outputs", the remaining rest
bit_number is calculated and used to address the relevant bit within the memory or output
byte.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
97
Function Codes
9.8 Function code 15 - Force Multiple Coils
Access to "timers" and "counters"
Access to the SIMATIC timers and counters areas is not permitted with function code FC 15
and is rejected by the driver with an error message frame.
Quantity
Any value between 1 and 2040 is permitted as the quantity, number of bits.
Note
Please note the CPU-specific limitations as described in the chapter "CPU-CP Interface
(Page 63)".
DATA
Any values are contained in the DATA field as bit statuses.
Application Example
Example of parameter assignment:
Table 9- 7
Conversion of MODBUS addressing for function codes FC 01, 05 and 15
MODBUS address in
transmission message frame
SIMATIC memory area
0 to 2047
commence at memory bit
M 1000.0
from 2048 to 2559
commence at output
Q 256.0
Action:
The MODBUS master system wants to write the following bit statuses on to memory bits M
1144.0 ... M 1144.7 and M 1145.0 ... M 1145.3:
Memory bit M 1144
Memory bit M 1145
98
7
6
5
4
3
2
1
0
ON
ON
OFF
OFF
ON
ON
OFF
ON
7
6
5
4
3
2
1
0
-
-
-
-
ON
OFF
OFF
ON
Bit
Bit
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.8 Function code 15 - Force Multiple Coils
Request message frame FUNCTION 15:
05H
Slave address ADDR
0FH
Function code FUNC
04H
start_address "High"
80H
start_address "Low" (M 1144.0 ... )
00H
quantity "High"
0CH
quantity "Low" (12 bits)
02H
bytecount
CDH
status coil (M 1144.0 ... M 1144.7)
09H
status coil (M 1145.0 ... M 1145.3)
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Reply message frame FUNCTION 15:
05H
Slave address ADDR
0FH
Function code FUNC
04H
start_address "High"
80H
start_address "Low"
00H
quantity "High"
0CH
quantity "Low"
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Address Calculation:
The MODBUS address "coil_address" 0480 Hex (1152 decimal) is located in the "memory
bit" area:
Memory byte
=
((start_address - aaaaa) / 8)
+ uuuuu
=
((1152
+ 1000
=
1144 ;
- 0)
/ 8)
The remaining rest bit_number has the following result:
Rest bit_no.
=
((start_address - aaaaa) % 8) [Modulo 8]
=
((1152
=
0;
- 0)
% 8)
Access is made to memory bits commencing at M 1144.0.
Further Examples
For further examples of access to memory bits and outputs, refer to FC 01.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
99
Function Codes
9.9 Function code 16 - Preset Multiple Registers
9.9
Function code 16 - Preset Multiple Registers
Function
The function code enables the MODBUS master system to write several data words in a
data block of the SIMATIC CPU.
Request Message Frame
ADDR
FUNC
start_register
quantity
byte_count n
n-DATA (High,Low)
CRC
Reply Message Frame
ADDR
FUNC
start_register
quantity
CRC
start_register
The MODBUS register address "start_register" is interpreted by the driver as follows:
0RGEXVUHJLVWHUQXPEHU VWDUWBUHJLVWHU
VWDUWBUHJLVWHURIIVHWB'%BQR
%LW
VWDUWBUHJLVWHUZRUGQR
For further address generation, the driver uses the "base DB number" commencing at DB
xxxxx entered in the dialog box "Conversion of MODBUS Addressing for FC 03, 06, 16"
during parameter assignment .
The address calculation for access, address conversion, is carried out in two steps as
follows:
Access to SIMATIC
Conversion formula
Data block DB
(resulting DB)
= (base DB number xxxxx + start_register-offset_DB_no.)
Data word DBW
= (start_register word_No.
∗ 2)
Calculation formula for start_register
Providing the resulting DB to be written is known, the MODBUS address start_register
required in the master system can be calculated in accordance with the following formula:
start_register
=
((resulting DB – base DB number) * 512) + (data word_DBW / 2)
Only even numbered data word numbers are permissible.
100
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Function Codes
9.9 Function code 16 - Preset Multiple Registers
Quantity
Any value between 1 and 127 is permitted as the quantity, number of registers. Please
observe the following rule:
(Quantity)max
=
512 - start_register
Note
Please note the CPU-specific limitations as described in the chapter "CPU-CP Interface
(Page 63)".
DATA (High,Low)
Any value can be used as DATA DATA (High,Low) (register value).
Application example
Example of parameter assignment:
Table 9- 8
Conversion of MODBUS addressing for function codes FC 03, 06, 16
MODBUS address in
transmission message frame
SIMATIC memory area
0
commence at data block
(base DB number)
DB 800
Action:
The MODBUS master system wants to write the values CD09 Hex, DE1A Hex and EF2B
Hex to data words DBW 100, DBW 102 and DBW 104 of DB 800.
Request message frame FUNCTION 16:
05H
Slave address ADDR
10H
Function code FUNC
00H
start_register "High"
32H
start_register "Low" DBW 100
00H
quantity "High"
03H
quantity "Low" (3 registers)
06H
bytecount
CDH
register value -High (DBW100)
09H
register value -Low
DEH
register value -High (DBW102)
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
101
Function Codes
9.9 Function code 16 - Preset Multiple Registers
1AH
register value -Low
EFH
register value -High (DBW104)
2BH
register value -Low
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Reply message frame FUNCTION 16:
05H
Slave address ADDR
10H
Function code FUNC
00H
start_register "High"
32H
start_register "Low"
00H
quantity "High"
03H
quantity "Low" (3 registers)
xxH
CRC check code "Low"
xxH
CRC Check Code "High"
Address calculation:
The MODBUS address "start_register" 0032 Hex (50 decimal) is interpreted as follows:
0RGEXVUHJLVWHUQXPEHU VWDUWBUHJLVWHU +H[
VWDUWBUHJLVWHURIIVHWB'%BQR
+H[ GHFLPDO
%LW
VWDUWBUHJLVWHUZRUGQR
+H[ GHFLPDO
'DWDEORFN'%
UHVXOWLQJ'%
EDVH'%QXPEHU[[[[
VWDUWBUHJLVWHURIIVHWB'%BQR
'DWDZRUG'%:
VWDUWBUHJLVWHUZRUGB1R
DB 800, data word DBW 100 is accessed.
Further examples
For further access examples, please refer to FC 03.
102
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Diagnostics of the Driver
10
Diagnostic Functions
The diagnostic functions of the CP enable you to quickly locate any errors that occur. The
following diagnostic functions are available:
● Diagnostics via the display elements of the CP
● Diagnostics via the STATUS output of the function blocks
● Diagnostics via the SYSTAT error message area (for CP 441-2 only)
● Diagnostic buffer of the CP
Display elements (LEDs)
The display elements provide information on the operating status and/or possible error
statuses of the CP. The display elements give a first overview of internal or external errors,
as well as interface-specific errors.
STATUS Output of FBs/SFBs
Every function block and system function block has a STATUS output for error diagnostics
purposes. Reading the STATUS output gives you information on errors which occurred
during communication. You can evaluate the STATUS parameter in the user program.
Error Message Area SYSTAT (CP 441-2 only)
The error message area SYSTAT is a storage area on the CP 441-2 where all errors and
events recognized by the CP are entered in detail. You can read the SYSTAT area by
programming the system function block STATUS in the user program.
Diagnostic Buffer of the CP
All errors and events described in the chapter "Table of Errors/Events (Page 110)" are also
entered in the diagnostic buffer of the CP. The manual for the CP describes how you can
read the diagnostic buffer.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
103
Diagnostics of the Driver
10.1 Diagnostic Facilities on the CP 341
10.1
Diagnostic Facilities on the CP 341
10.1.1
Diagnostics via Display Elements of the CP 341
Display Elements
The display elements of the CP 341 provide information on the CP 341. The following
display functions are available:
Group Error Displays

SF (red)
Error occurred or new parameters assigned
Special Displays

TXD (green)
Send active; lights up when the CP 341 sends user data via the interface.

RXD (green)
Receive active; lights up when the CP 341 receives user data via the
interface.
Group Error Display SF
The group error display SF always lights up after POWER ON and goes out after
initialization. If parameter assignment data have been generated for the CP 341, the SF LED
lights up again briefly when new parameters are assigned.
The group error display SF lights up when the following errors have occurred:
● Hardware error
● Firmware error
● Parameter assignment error
● BREAK (Receiving line between CP 341 and communication partner is interrupted.)
104
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Diagnostics of the Driver
10.1 Diagnostic Facilities on the CP 341
10.1.2
Diagnostic Messages of the Function Blocks of the CP 341
Introduction
Each function block has a STATUS parameter for error diagnostics purposes. Each STATUS
message number has the same meaning, irrespective of which function block is used.
Event Class / Event Number Numbering Scheme
The figure below illustrates the structure of the STATUS parameter.
%LWQR
67$786
5HVHUYHG
(YHQWFODVV
(YHQWQXPEHU
HUURUQXPEHU
The individual errors/events are listed in the chapter "Table of Errors/Events (Page 110)".
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
105
Diagnostics of the Driver
10.2 Diagnostic Facilities on the CP 441-2
10.2
Diagnostic Facilities on the CP 441-2
10.2.1
Diagnostics via Display Elements of the CP 441-2
Display Functions
The display elements of the CP 441-2 provide information on the CP 441-2. The following
display functions are available:
Group Error Displays
INTF
Internal error
EXTF
External error
Special Displays
TXD
Send active; lights up when the CP 441-2 sends user data via the interface.
RXD
Receive active; lights up when the CP 441-2 receives user data via the interface.
Interface Error Displays
FAULT
Interface error
Error Messages of Display Elements
The table below describes the error messages of the display elements.
106
Error display
Error description
Remedy
INTF comes on
CP 441-2 reports an internal error; for Program the SFB STATUS for detailed
example, hardware or software error. information.
EXTF comes on
CP 441-2 reports an external error;
for example, BREAK on receiving
line.
Program the SFB STATUS for detailed
information.
FAULT off
Interface ready for operation or
interface submodule not plugged in.
-
FAULT flashing
slowly
Interface is initialized and ready for
operation but communication via S7400 backplane bus not possible.
Check the general configuration and
data link configuration.
FAULT flashing
fast
Parameter incorrect or wrong and/or
faulty interface submodule plugged
in. (Submodule and interface
parameters do not match).
Check the parameter setting in the
parameter assignment interface and/or
interface submodule.
FAULT comes on
No interface parameters available or
serious fault in submodule
(hardware).
Carry out parameter assignment with
parameter assignment tool and/or check
interface submodule.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Diagnostics of the Driver
10.2 Diagnostic Facilities on the CP 441-2
10.2.2
Diagnostic Messages of the System Function Blocks of the CP 441-2
Introduction
Each system function block has a STATUS parameter for error diagnostics purposes. Each
STATUS message number has the same meaning, irrespective of the system function block
used. The STATUS messages which are most important for the CP are described in the
table below. You will find a complete and current description of the STATUS messages in
the reference manual "System Software for S7-300/400, System and Standard Functions".
Messages at STATUS Output of SFB
STATUS
Error Description
0
No error
1
Communications problems between CP and CPU
2
Negative acknowledgment, function cannot be executed, for example, link partner does
not respond or sends negative acknowledgment.
3
R-ID not known in this communications link, device not available.
4
Number of data areas or individual data types do not match.
5
Reset request received
6
Remote block is in disabled state
7
Remote partner in incorrect state.
8
Access to remote object denied, access error occurred in server (GET/PUT).
9
Overrun warning (ERROR=0): receive data were overwritten with newer data.
10
Access to local user memory not possible (e.g. DB deleted).
11
Warning (ERROR=0): New job not active because the previous job not yet completed.
12
Instance is incompatible with system call; no instance, but normal DB was called.
13
Error in format description
14
The referenced data link (application-related) does not exist, ID not known. You must
specify the local ID from the data link configuration.
15
Data link referenced via ID is generated.
16
Data link cannot be generated due to lack of resources.
Displaying and Evaluating STATUS Output
The STATUS output of the system function blocks can be displayed and evaluated using the
STEP 7 variable table.
Note
Reading the SYSTAT area with the STATUS job will provide you with detailed information on
errors and events which have occurred during communication between the CP, the
associated CPU, and the connected link partner.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
107
Diagnostics of the Driver
10.2 Diagnostic Facilities on the CP 441-2
10.2.3
Reading Error Message Area SYSTAT for CP 441-2
Reading by Communications FB
The error message area SYSTAT is already read by the MODBUS communications FB.
The FB reads the SYSTAT area cyclically and stores the data in the instance DB
commencing at DBW 40 (See also Chapter "Commissioning the Communications FB
(Page 53)").
Note
Because the STATUS request is executed asynchronously to the rest of the requests
running on a link, an SFB with a specific R_ID cannot be assigned to the error messages.
This means that although SYSTAT can display which errors have occurred on the data link,
it cannot show which SFB call triggered the error.
10.2.4
Diagnostics via Error Message Area SYSTAT of the CP 441-2
Introduction
The error message area SYSTAT is a data area of CP 441-2 where all errors and events
recognized by the CP are entered in detail. The SYSTAT area comprises six events for each
interface, as well as information on the operating state of the CP and the state of the
SYSTAT area.
Structure of SYSTAT Area
The first six errors/events recognized by the CP are entered in the SYSTAT area. Further
errors/events can only be entered once the SYSTAT area has been deleted.
The errors/events are entered in the parameter LOCAL as follows:
108
Byte 0
Operating state of CP (02H for RUN, 05H for defective)
Byte 1
reserved
Byte 2
Bit 0 - F
Error entered in SYSTAT
Bit 1 - U
Error overflow
Bit 2 - B
BREAK
Byte 3
reserved
Byte 4/5
Event 1
Byte 6/7
Event 2
Byte 8/9
Event 3
Byte 10/11
Event 4
Byte 12/13
Event 5
Byte 14/15
Event 6
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Diagnostics of the Driver
10.2 Diagnostic Facilities on the CP 441-2
Deleting the SYSTAT Area
After the SYSTAT area has been read with SFB STATUS, all SYSTAT messages are
automatically deleted.
Numbering Scheme
The numbering scheme for the events in the SYSTAT area is structured as follows:
%LWQR
5HVHUYHG
(YHQWFODVV
(YHQWQXPEHU
HUURUQXPEHU
An exact breakdown of event classes and event numbers can be found in the following
chapters and in the manual CP 441-2: Point-to-Point Communication.
Note
In contrast to standard drivers, the event classes/event numbers for the SYSTAT area are
partly modified for use with loadable drivers.
The following sections describe all the modified event classes/event numbers in their driverspecific meaning.
Unless an event is mentioned in this manual, you can assume it corresponds to the standard
data links, and it will be described in the CP 441-2 manual.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
109
Diagnostics of the Driver
10.3 Table of Errors/Events
10.3
Table of Errors/Events
Event Classes
The following event classes are defined:
10.3.1
Event Class
Description
Described in
1
Hardware error on CP
CP manual
2
Error during initialization
CP manual
3
Error during parameter assignment of PBK
CP manual
4
Errors in CP - CPU data traffic detected by CP
CP manual
5
Error during processing of a CPU job
CP manual, Driver
manual
6
Error during processing of a partner job
CP manual
7
Send error
CP manual
8
Receive error
Driver manual
9
Error message frame received from link partner
Not used
10
Errors detected by CP in reply message frame from
partner
Not used
14
General processing errors of loadable driver
Driver manual
Error Codes in SYSTAT for "CPU Job Errors"
Description
Event Class 5 (05H)
"CPU Job Errors"
Event class/
Number (Hex)
Event
Number
(Decimal)
Event Text
05 18H
24
Transmission length during transmission is too large (> Check communications FB, possibly
4 Kbytes), or transmission length for SEND is too small. reload.
110
Remedy
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Diagnostics of the Driver
10.3 Table of Errors/Events
10.3.2
Error Codes in SYSTAT for "Receive Errors"
Description
Event Class 8 (08H)
"Receive Errors"
Event class/
Number (Hex)
Event
Number
(Decimal)
Event Text
Remedy
08 06H
6
Character delay time (ZVZ) exceeded
Eliminate error in partner device or
interference on the transmission line.
08 0CH
12
Transmission error (parity error, overflow error, stop
bit error (frame)) recognized in a character.
Check for interference which could
influence the transmission line.
If required, change system structure
and/or cable laying.
Check whether the protocol
parameters transmission rate, number
of data bits, parity, number of stop bits
have the same settings for the CP and
the link partner.
08 0DH
13
BREAK
Receiving line to partner device is interrupted.
Set up the connection between the
devices or switch the partner device
on.
For use with TTY operation, check line
current in idle state.
For use with an RS422/485 (X27)
connection, check and, if required,
change the connector pin assignment
of the 2-wire receiving line R(A),R(B).
08 30H
48
Broadcast not allowed with this function code.
The MODBUS master system is
allowed to use Broadcast only for the
function codes enabled for this
purpose.
08 31H
49
Received function code not allowed.
This function code cannot be used for
this driver.
08 32H
50
Maximum amount of bits or registers exceeded, or
amount of bits cannot be divided by 16 when
accessing SIMATIC memory areas timers or
counters.
Limit maximum number of bits to 2040,
maximum number of registers to 127.
Access to SIMATIC timers/counters
only in 16-bit intervals.
08 33H
51
Amount of bits or registers for function codes FC
15/16 and message element byte_count do not
match.
Correct number of bits / registers or
byte_count.
08 34H
52
Illegal bit coding recognized for "set bit/reset bit".
Only use codings 0000Hex or
FF00Hex for FC 05.
08 35H
53
Illegal diagnostic subcode (≠ 0000Hex) recognized
for function code FC 08 "Loop Back Test".
Only use subcode 0000Hex for FC 08.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
111
Diagnostics of the Driver
10.3 Table of Errors/Events
Event Class 8 (08H)
"Receive Errors"
Event class/
Number (Hex)
Event
Number
(Decimal)
Event Text
Remedy
08 36H
54
The internally-generated value of the CRC 16
checksum does not match the received CRC
checksum.
Check CRC checksum generation by
Modbus master system.
08 37H
55
Message sequence error:
The MODBUS master system sent a new request
message before the last reply message was
transferred by the driver.
Increase the timeout to the slave reply
message for the MODBUS master
system.
10.3.3
Error Codes in SYSTAT for “General Processing Errors”
Event Class 14 (0EH)
"Loadable Driver - General Processing Errors"
Event Class/
Number (Hex)
Event
Number
(Decimal)
Event Text
Remedy
0E 01H
1
Error during initialization of the driver-specific SCC
process.
Reassign parameters of driver and
reload.
0E 02H
2
Error during startup of driver:
Wrong SCC process active (SCC driver).
The driver cannot function with this SCC driver.
Reassign parameters of driver and
reload.
0E 03H
3
Error during startup of driver:
Wrong data transfer process active (interface to
SFBs).
The driver cannot function with this data transfer
process.
Reassign parameters of driver and
reload.
0E 04H
4
Error during startup of driver:
Illegal interface submodule.
The driver cannot run with the parameterized
interface submodule.
Check and correct the parameter
assignment.
0E 05H
5
Error with driver dongle:
No dongle plugged in, or inserted dongle is faulty.
The driver is not ready to run.
Check if a driver dongle is plugged into
the CP.
If the inserted dongle is faulty, replace
it with a correct dongle.
0E 06H
6
Error with driver dongle:
The dongle has no valid contents.
The driver is not ready to run.
Obtain a correct dongle from the
Siemens office which supplied you
with the driver.
:
:
0E 10H
16
Internal error procedure:
default branch in Send automatic device.
Restart CP (Power_On)
0E 11H
17
Internal error procedure:
default branch in Receive automatic device.
Restart CP (Power_On)
112
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Diagnostics of the Driver
10.3 Table of Errors/Events
Event Class 14 (0EH)
"Loadable Driver - General Processing Errors"
Event Class/
Number (Hex)
Event
Number
(Decimal)
Event Text
Remedy
0E 12H
18
Internal error active automatic device:
Default branch
Restart CP (Power_On)
0E 13H
19
Internal error passive automatic device:
Default branch
Restart CP (Power_On)
Event Class 14 (0EH)
"Loadable Driver - General Processing Errors <Parameter Assignment>"
Event Class/
Event
Number (Hex) Number
(Decimal)
Event Text
Remedy
0E 20H
32
For this data link the amount of data bits must be
set to 8.
The driver is not ready to run.
Correct the parameter assignment of
the driver.
0E 21H
33
The multiplication factor set for the character delay
time is not within the range of 1 to 10. The driver is
operating with a standard setting of 1.
Correct the parameter assignment of
the driver.
0E 22H
34
The operating mode set for the driver is illegal.
"Normal" or "Interference Suppression" must be
specified.
The driver is not ready to run.
Correct the parameter assignment of
the driver.
0E 23H
35
An illegal value has been set for the slave address.
Slave address 0 is not allowed.
The driver is not ready to run.
Correct the parameter assignment of
the driver.
0E 24H
36
Illegal limitations have been set for write access.
The driver is not ready to run.
Correct the parameter assignment of
the driver.
0E 25H
37
An illegal “from/to” combination has been set for
the input of areas “Conversion of Modbus
Addressing for FC 01,05,15.”
(Areas memory bits, outputs, timers, counters).
The driver is not ready to run.
Correct the parameter assignment of
the driver.
0E 26H
38
An illegal “from/to” combination has been set for
the input of areas “Conversion of Modbus
Addressing for FC 02.”
(Areas memory bits, inputs).
The driver is not ready to run.
Correct the parameter assignment of
the driver.
0E 27H
39
An overlap has been set for the “from/to”
combination for the input of areas “Conversion of
Modbus Addressing for FC 01,05,15.”
(Areas memory bits, outputs, timers, counters).
The driver is not ready to run.
Correct the parameter assignment of
the driver.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
113
Diagnostics of the Driver
10.3 Table of Errors/Events
Event Class 14 (0EH)
"Loadable Driver - General Processing Errors <Parameter Assignment>"
Event Class/
Event
Number (Hex) Number
(Decimal)
Event Text
Remedy
0E 28H
40
An overlap has been set for the “from/to”
combination for the input of areas “Conversion of
Modbus Addressing for FC 02.”
(Areas memory bits, inputs).
The driver is not ready to run.
Correct the parameter assignment of
the driver.
0E 2EH
46
An error occurred when reading the interface
parameter file.
The driver is not ready to run.
Restart CP (Power_On).
Event Class 14 (0EH)
"Loadable Driver - General Processing Errors <CPU-CP>"
Event Class/
Event
Number (Hex) Number
(Decimal)
Event Text
Remedy
0E 30H
48
Internal error during data transfer to CPU:
Unexpected acknowledgment Passive.
Can be ignored if it happens
intermittently.
0E 31H
49
Timeout during data transfer to CPU.
Check CP-CPU interface.
0E 32H
50
Error occurred during data transfer to CPU with
RCV:
Exact failure reason (detailed error) is in SYSTAT
before this entry.
Check CP-CPU interface.
0E 33H
51
Internal error during data transfer to CPU::
Illegal status of automatic device
Check CP-CPU interface.
:
:
0E 38H
56
Error occurred when accessing one of the SIMATIC
areas “memory bits, outputs, timers, counters,
inputs” with function codes FC 01 or FC 02
for example, input does not exist, or read attempt in
excess of range end.
Check if the addressed SIMATIC area
exists and whether an attempt was
made to access in excess of range
end.
0E 39H
57
Error occurred when accessing SIMATIC area
“data block” with function codes FC 03, 04, 06, 16::
Data block does not exist or is too short.
Check whether the addressed data
block exists and that it is sufficiently
long.
0E 3AH
58
Error occurred when executing a write job with
function codes FC 05, 15:
Instance data block of MODBUS FB does not exist
or is too short.
Check whether the instance DB
parameterized on the MODBUS
communications FB exists and that it
is sufficiently long.
0E 3BH
59
Timeout during execution of a write job by Modbus
communications FB.
Check configuration of data link and
CP-CPU interface (SFB SEND):
possibly reload MODBUS
communications FB.
0E 3CH
60
Illegal job with this driver..
Only SFB SEND, STATUS (CP 441-2
only) are permitted.
114
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Diagnostics of the Driver
10.3 Table of Errors/Events
Event Class 14 (0EH)
"Loadable Driver - General Processing Errors <Receive Evaluation>"
Event Class/
Event
Number (Hex) Number
(Decimal)
Event Text
Remedy
0E 50H
80
The rest bit number resulting from the Modbus
address is ≠ 0 for the word-orientated SIMATIC
areas timers/counters.
Only use MODBUS addresses which
result in valid bit numbers.
0E 51H
81
The received Modbus address is outside the
parameterized “from/to” areas. (see section
"Assigning parameters to the loadable driver
(Page 35)")
Only use addresses as the address
specification in the request message
frame which have previously been
defined during parameter assignment.
0E 52H
82



SIMATIC range limitation exceeded during
access attempt by Modbus master system:
Resulting DB number < 1
or write access to an area which has not been
enabled (parameter assignment),
or write access to instance DB of the
communications FB.
Limit access range to valid SIMATIC
memory areas.
0E 53H
83
SIMATIC range limitation exceeded during access Limit access range to valid SIMATIC
attempt by Modbus master system
memory areas.
for example, overflow when generating the resulting
DB number (> 65535).
0E 54H
84
Access in excess of parameterized range end, or
access in excess of SIMATIC range end.
Limit access range to valid SIMATIC
memory areas.
0E 55H
85
Write access to this SIMATIC memory area is not
allowed.
Carry out write access only to
SIMATIC data areas memory bits,
outputs.
0E 56H
86
Data link operation not possible because
communications FB not running.
Make cyclic call of MODBUS
communications FB in STEP 7 user
program.
If required, re-initialize
communications FB.
0E 57H
87
Error occurred in communications FB during
processing of the Modbus function code.
Analyze the exact cause as described
in section "Diagnostics of the
Communications FB (Page 117)".
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
115
Diagnostics of the Driver
10.3 Table of Errors/Events
116
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Diagnostics of the Communications FB
11
Diagnostic Functions
The MODBUS communications FB has the following two output parameters which indicate
occurred errors:
● Parameter "ERROR_NR"
● Parameter "ERROR_INFO"
ERROR_NR, ERROR_INFO
Occurred errors are indicated at the ERROR_NR output.
Further details on the error in ERROR_NR are displayed at the output ERROR_INFO.
Deleting the Errors
The errors are deleted with a rising edge at CP_START.
The error displays may be deleted by the user at any time, if required.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
117
Diagnostics of the Communications FB
11.1 Diagnostics via Parameters ERROR_NR, ERROR_INFO
11.1
Diagnostics via Parameters ERROR_NR, ERROR_INFO
ERROR_No 1...9
Error during Initialization FB and CP
Error numbers 1...9 indicate initialization with error. Parameter CP_START_ERROR is 1.
MODBUS communication to the master system is not possible.
ERROR_No 10...19
Error during Processing of a Function Code
Error numbers 10...19 indicate an error during processing of a function code. The CP
transmitted an illegal processing job to the communications FB.
The error is also reported to the driver.
Subsequent processing jobs continue to be processed.
ERROR_No 90...99
Other Errors
A processing error has occurred.
The error is not reported to the driver.
Subsequent processing jobs continue to be processed.
11.1.1
Errors during “Initialization”
ERROR_ No
(decimal)
CPx41
ERROR_INFO
Error Text
Remedy
0
CPx41
0
No error
1
CPx41
SFC 51->RET_VAL
Error when reading SZL with
SFC 51.
Analyze RET_VAL in ERROR_INFO;
eliminate the cause.
2
CPx41
Timeout when initializing CP or
error when initializing CP
Check if protocol “MODBUS Slave”
has had parameters assigned on the
CP interface.
Analyze ERROR_INFO.
118
CP 341
FB 8->STATUS
Error in P_SND_RK job.
Check the LADDR module address in
the communication FB.
CP 441
SFB 12->STATUS
Error in BSEND job.
Check the connection ID in the
communication FB.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Diagnostics of the Communications FB
11.1 Diagnostics via Parameters ERROR_NR, ERROR_INFO
11.1.2
Errors during “Processing of Function Codes”
ERROR_ No
(decimal)
ERROR_INFO
Error Text
Remedy
10
Processing Code
Illegal processing function transferred by the
driver to the communications FB.
Restart CP (Power_On)
11
Start Address
Illegal start address transferred by the driver
to communications FB.
Check MODBUS address of
MODBUS master system.
12
Amount of Registers
Illegal amount of registers transferred by the
driver to communications FB:
Amount of registers = 0.
Check number of registers of
MODBUS master system, if required
restart CP (Power_ON)
13
Amount of Registers
Illegal amount of registers transferred by the
driver to communications FB:
Amount of registers = 128.
Check number of registers of
MODBUS master system, if required
restart CP (Power_ON)
14
Memory bits M - End
Address
Attempted access to SIMATIC memory area
“memory bits” in excess of range end.
Reduce MODBUS start address
and/or access length in MODBUS
master system.
Attention:
Range length in SIMATIC CPU is CPU typedependent.
15
Outputs Q – End
Address
Attempted access to SIMATIC memory area
“outputs” in excess of range end.
Attention:
Range length in SIMATIC CPU is CPU typedependent.
16
Timers T – End
Address
Attempted access to SIMATIC memory area
“timers” in excess of range end.
Attention:
Range length in SIMATIC CPU is CPU typedependent.
17
Counters C – End
Address
Attempted access to SIMATIC memory area
“counters” in excess of range end.
Attention:
Range length in SIMATIC CPU is CPU typedependent.
18
19
0
Reduce MODBUS start address
and/or access length in MODBUS
master system.
Reduce MODBUS start address
and/or access length in MODBUS
master system.
Reduce MODBUS start address
and/or access length in MODBUS
master system.
Illegal SIMATIC memory area transferred by
the driver to the communications FB.
If required, restart CP (Power_On)
Error during access to SIMATIC I/Os.
Check whether the required I/Os
exist and are error-free.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
119
Diagnostics of the Communications FB
11.1 Diagnostics via Parameters ERROR_NR, ERROR_INFO
11.1.3
“Other” Errors
ERROR_ No
(decimal)
CPx41
ERROR_INFO
Error text
Remedy
90
CP 341
FB 8->STATUS
Error sending an acknowledgment
message with FB 8 P_SND_RK to
the driver.
Analyze STATUS information.
CP 441
SFB 12 "STATUS"
Error sending an acknowledgment
message with SFB 12 BSEND to the
driver.
91
CPx41
SFB 22->STATUS
Error when reading SYSTAT with
SFB 22 (STATUS).
Analyze STATUS information.
92
CPx41
FB 7->STATUS
Error when executing a
RECEIVE/FETCH call with FB7
(RCV_RK)
Analyze FB7-STATUS
120
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Technical Data
A.1
A
Technical Data
Transmission Times
The following tables contain measured transmission times for the different function codes.
The times were measured using an S7-300 programmable controller with a CPU 315-2 DP
(6ES7315-2AF01-0AB0) and a CP 341, and an S7-400 programmable controller as the
partner device with a CPU 414 (6ES7414- 1XG01-0AB0) and a CP 441-2. The following
times were measured:
● the processing time from initiation of the job in the user program, including the processing
time on the master,
● the time taken for the job to be transmitted to the partner via the serial interface
● the time for processing on the slave,
● the time required for transmission of the acknowledgment on the serial interface.
The four times must be added to calculate the time for a complete transmission.
If you are using another master or slave as a partner, you must use the corresponding times
of the master or slave used, instead of the times in the table. The times for the job and
acknowledgment remain the same; they are only dependent on the transmission rate used.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
121
Technical Data
A.1 Technical Data
Slave is CP 341
Function Code 1 (Read) – Read Coil (Output) Status (Times in msec.)
Transmission Rate
(baud)
300
Master
CP 441-2
Job
Slave
CP 341
Acknowledgment
User Data
1 Byte
229
257
179
184
10 Bytes
229
257
179
514
20 Bytes
229
257
180
882
50 Bytes
232
257
182
1986
100 Bytes
236
257
192
3824
200 Bytes
243
257
208
7501
255 Bytes
251
257
214
9487
Transmission Rate
(baud)
9600
Job
Slave
CP 341
Acknowledgment
User Data
Master
CP 441-2
1 Byte
74
8
18
6
10 Bytes
75
8
19
16
20 Bytes
77
8
19
27
50 Bytes
83
8
62
62
100 Bytes
90
8
119
119
200 Bytes
92
8
235
235
255 Bytes
95
8
296
296
Transmission Rate
(baud)
122
76800
Job
Slave
CP 341
Acknowledgment
User Data
Master
CP 441-2
1 Byte
73
1
13
1
10 Bytes
74
1
13
2
20 Bytes
76
1
13
3
50 Bytes
86
1
20
8
100 Bytes
93
1
29
15
200 Bytes
95
1
45
29
255 Bytes
97
1
50
37
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Technical Data
A.1 Technical Data
Slave is CP 341
Function Code 15 (Write) – Force Multiple Coils (Time in msec.)
Transmission Rate
(baud)
300
Master
CP 441-2
Job
Slave
CP 341
Acknowledgment
User Data
1 Byte
205
331
199
257
10 Bytes
206
662
200
257
20 Bytes
206
1028
201
257
50 Bytes
208
2132
212
257
100 Bytes
211
3971
223
257
200 Bytes
217
7648
238
257
255 Bytes
221
9634
243
257
Transmission Rate
(baud)
9600
Job
Slave
CP 341
Acknowledgment
User Data
Master
CP 441-2
1 Byte
48
10
41
8
10 Bytes
48
20
41
8
20 Bytes
50
32
43
8
50 Bytes
52
67
48
8
100 Bytes
55
124
56
8
200 Bytes
63
239
74
8
255 Bytes
67
301
88
8
Transmission Rate
(baud)
76800
Job
Slave
CP 341
Acknowledgment
User Data
Master
CP 441-2
1 Byte
58
1
40
1
10 Bytes
61
3
43
1
20 Bytes
62
4
43
1
50 Bytes
63
8
44
1
100 Bytes
64
15
50
1
200 Bytes
66
30
69
1
255 Bytes
68
38
85
1
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
123
Technical Data
A.1 Technical Data
Slave is CP 441-2
Function Code 1 (Read) – Read Coil (Output) Status (Times in msec.)
Transmission Rate
(baud)
300
Master
CP 341
Job
Slave
CP 441-2
Acknowledgment
User Data
1 Byte
236
257
188
184
10 Bytes
236
257
190
515
20 Bytes
238
257
190
882
50 Bytes
244
257
193
1986
100 Bytes
280
257
199
3824
200 Bytes
286
257
207
7502
255 Bytes
288
257
216
9487
Transmission Rate
(baud)
9600
Job
Slave
CP 441-2
Acknowledgment
User Data
Master
CP 341
1 Byte
33
8
40
6
10 Bytes
33
8
43
16
20 Bytes
35
8
44
28
50 Bytes
42
8
45
62
100 Bytes
56
8
56
120
200 Bytes
75
8
64
235
255 Bytes
82
8
77
296
Transmission Rate
(baud)
124
76800
Job
Slave
CP 441-2
Acknowledgment
User Data
Master
CP 341
1 Byte
35
1
23
1
10 Bytes
36
1
25
2
20 Bytes
37
1
26
3
50 Bytes
46
1
27
8
100 Bytes
61
1
30
15
200 Bytes
82
1
39
29
255 Bytes
92
1
48
37
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Technical Data
A.1 Technical Data
Slave is CP 441
Function Code 15 (Write) – Force Multiple Coils (Time in msec.)
Transmission Rate
(baud)
300
Master
CP 341
Job
Slave
CP 441-2
Acknowledgment
User Data
1 Byte
225
331
223
257
10 Bytes
227
662
224
257
20 Bytes
227
1030
228
257
50 Bytes
227
2132
232
257
100 Bytes
229
3971
236
257
200 Bytes
230
7648
243
257
255 Bytes
237
9634
255
257
Transmission Rate
(baud)
9600
Job
Slave
CP 441-2
Acknowledgment
User Data
Master
CP 341
1 Byte
64
11
62
8
10 Bytes
64
21
63
8
20 Bytes
69
32
64
8
50 Bytes
69
67
68
8
100 Bytes
72
124
70
8
200 Bytes
75
239
76
8
255 Bytes
75
301
86
8
Transmission Rate
(baud)
76800
Job
Slave
CP 441-2
Acknowledgment
User Data
Master
CP 341
1 Byte
60
1
56
1
10 Bytes
60
3
58
1
20 Bytes
62
4
58
1
50 Bytes
64
9
60
1
100 Bytes
67
16
67
1
200 Bytes
72
30
77
1
255 Bytes
77
38
84
1
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
125
Technical Data
A.1 Technical Data
Memory Requirements
The following table displays the memory requirements of the function blocks of the CP 341
(FB 80) and CP 441 (FB 180) in bytes. The memory requirements of the FBs 7 and 8 can be
found in the manual for the CP 341.
126
Block
Name
Version
Load Memory
Main Memory
Local Data
FB 80
MODB_341
1.0
2770
2034
104
FB 180
MODB_441
1.0
2982
2360
102
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
B
Wiring Diagrams Multipoint
Wiring diagram RS422 multipoint (MODBUS Multipoint)
6HQGHU
5HFHLYHU
02'%86PDVWHU
HJ&3RU&3
2
T(A)-
9
T(B)+
4
R(A)-
11
R(B)+
&RQQHFWRU
330 Ω
330 Ω
6ODYH QRQ6LHPHQV
6ODYH QRQ6LHPHQV
6ODYH QRQ6LHPHQV
NOTICE
In the RS422 mode, CP 341 and CP 441-2 can only be used as "Master" because they
cannot switch their send lines to "Tri State".
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
127
Wiring Diagrams Multipoint
Wiring diagram RS485 multipoint (MODBUS Multipoint)
5HFHLYHU
6HQGHU
02'%86PDVWHU
HJ&3RU&3
4
R(A)-
330 Ω
11
R(B)+
&RQQHFWRU
330 Ω
4
R(A)-
6ODYH QRQ6LHPHQV
6ODYH QRQ6LHPHQV
11
R(B)+
6ODYH &3RU&3
The following applies for both modules:
● GND (PIN 8 for CP341 / CP441-2) must always be connected on both sides.
● The casing shield must be installed everywhere.
● A terminating resistor of approx. 330 Ω is to be soldered into the connector on the last
receiver of a node sequence.
● Recommended cable type: LIYCY 3 x 2 x 0.14; R(A)/R(B) or T(A)/T(B) twisted pairs
● Wiring with "stub" is not allowed.
128
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
C
References
C.1
References
MODBUS Protocol
/1/
Gould Modbus Protocol
Reference Guide
PI-MBUS-300 Rev B
GOULD Electronics
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
129
References
C.1 References
130
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Glossary
Block
Blocks are elements of the user program which are defined by their function, structure, or
purpose. STEP 7 has the following:
● Code blocks (FB, FC, OB SFB, SFC)
● Data blocks (DB, SDB)
● User-defined data types (UDT).
Block call
A block call occurs when program processing branches to the called block.
Block parameters
Block parameters are placeholders within multiple-use blocks which are supplied with
updated values when the relevant block is called.
Communications processor
A communications processor is a programmable module for communications tasks, for
example, networking or point-to-point connection.
Configuration
Configuration is the combination of individual modules to form a PLC.
Configuration of data link (CP 441-2 only)
Configuration of data link refers to the specification of a connection_ID in the system function
block. The Connection ID enables the system function blocks to communicate between two
communication terminals.
CPU
Central processing unit of the S7 programmable controller with control and arithmetic unit,
memory, system program, and interfaces to I/O modules.
CRC
Cyclic Redundancy Check = checksum with a guaranteed accuracy of error recognition.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
131
Glossary
Cycle time
The cycle time is the time that the CPU requires to process the user program once.
Cyclic program processing
In cyclic program processing, the user program runs in a program loop, or cycle, that is
constantly repeated.
Data block (DB)
Data blocks are blocks that contain data and parameters with which the user program works.
Unlike all other blocks, they do not contain any instructions. They are subdivided into global
data blocks and instance data blocks.
The data contained in the data blocks can be accessed absolutely or symbolically. Complex
data can be stored in structured form.
Data type
Data types allow the user to define how the value of a variable or constant in the user
program is to be used. SIMATIC S7 makes available two types of data types in accordance
with IEC 1131-3:
● elementary data types
● structured data types
Default setting
The default setting is a basic setting that is always used when no other value is specified.
Diagnostic buffer
The diagnostic buffer is a battery-backed up memory area in CPUs, for example, which is
organized as a ring buffer. Diagnostic events are stored in their order of occurrence.
Diagnostic events
A diagnostic event triggers an entry in the diagnostic buffer of the CPU. A distinction is made
between the diagnostic events as follows:
● errors on a module
● errors in the process wiring
● system errors in the CPU
● operating mode transitions of the CPU
● errors in the user program
● user-defined diagnostic events
132
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Glossary
Diagnostic functions
Diagnostic functions cover the entire system diagnostics and include the detection,
interpretation, and reporting of errors within the PLC.
Download
Downloading of load objects (e.g. code blocks) from the programming device into the load
memory of the central processing unit (CPU).
Function blocks (FBs)
Function blocks are components of the user program and are, according to the IEC
standard, "blocks with memory". The memory for the function blocks is an assigned data
block, the "instance data block". Function blocks can be assigned parameters, i.e. you can
use them with and without parameters.
Hardware
Hardware is the term given to all the physical and technical equipment of a PLC.
Instance data block
An instance data block stores the formal parameters and static data of function blocks. An
instance data block can be assigned to an FB call or to a call hierarchy of function blocks.
Interface submodule
The CP 441-2 interface module physically converts the signals. By changing the plug-in
interface modules, you can make the communications processor compatible with the
communications partner.
Interrupt
Interrupt is a term that designates the interruption of the processing of a program in the
processor of a programmable controller by an external alarm
Main memory
The main memory is a RAM memory unit in the CPU that the processor accesses when
running the user program.
Module
Modules are pluggable PCBs for automation systems.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
133
Glossary
Module parameters
Module parameters are values that can be used to set the module reactions. A distinction is
made between static and dynamic module parameters.
Online help
STEP 7 allows you to display contextual help texts on the screen while working with the
programming software.
Online/Offline
When you are online there is a data connection between the PLC and the programming
device, when you are offline there is no data connection between them.
Operand
An operand is part of a STEP 7 instruction and indicates with what the processor is to
perform an action. An operand can be addressed both absolutely and symbolically.
Operating mode
The SIMATIC S7 programmable controllers have three different operating modes:
STOP, RESTART and RUN. The functionality of the CPU varies in the individual operating
modes.
Operating system of the CPU
The operating system of the CPU organizes all the functions and operations of the CPU that
are not connected to a specific control task.
Parameter
A parameter is
● a variable of a STEP 7 code block,
● a variable for specifying the behavior of a module,
As delivered, each module has an appropriate default setting that can be changed via
hardware configuration.
There are two types of parameters: static and dynamic parameters
Parameter assignment
Parameter assignment means setting the behavior of a module.
134
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Glossary
Parameter assignment tool CP: Assigning Parameters to Point-To-Point Connections
The CP: Assigning Parameters to Point-To-Point Connections Tool is used to assign
parameters to the interface submodule of the communications processor and to set the
driver-specific parameters.
The standard range is expanded for each loadable driver.
Point-to-point connection
In a point-to-point connection, the communications processor forms the interface between a
programmable logic controller and a communication peer.
Procedure
A procedure is the execution of a data transmission according to a particular protocol.
Process image
The process image is a special memory area in the programmable controller. At the start of
the cyclic program the signal states of the input modules are transferred to the process
image input image. At the end of the cyclic program the process output image is transferred
as a signal state to the output modules.
Programmable controller
A programmable controller is an electronic control device consisting of at least one CPU,
various input and output modules, and operator control and monitoring devices.
Protocol
The communications partners involved in data transmission must abide by fixed rules for
handling and implementing the data traffic. These rules are called protocols.
Rack
The rack is the rail containing slots for the modules.
Software
Software refers to the entirety of all programs that are used on a computer system. These
include the operating system and the user programs.
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
135
Glossary
STARTUP
RESTART mode is executed at the transition from STOP to RUN mode. This can be
triggered by the following events:
● By activating the operating mode switch
● After Power on
● By an operator input on the programming device
A distinction is made between a cold restart, restart, and warm restart.
STEP 7
STEP 7 is the programming software of SIMATIC S7.
System blocks
System blocks differ from other blocks in that they are already integrated into the S7-300/S7400 system and are available for already defined system functions. They are subdivided into
system data blocks, system functions, and system function blocks.
System function blocks (SFBs)
A system function block (SFB) is a function block with memory that is integrated in the
operating system of the S7-CPU and can be called like a function block (FB) in the user
program, when necessary.
System functions (SFCs)
A system function (SFC) is a function without memory that is integrated in the operating
system of the S7-CPU and can be called like a function (FC) in the user program, when
necessary.
Tool
A tool is a software tool for configuring and programming.
Upload
Uploading of load objects (e.g. code blocks) from the load memory of the central processing
unit into the programming device.
User program
The user program contains all instructions and declarations for processing the signals used
for controlling a system or a process. In SIMATIC S7 the user program is structured and
divided into small units, the blocks.
136
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Glossary
Variable
A variable is a data element with variable content that can be used in the STEP 7 user
program. A variable consists of an operand (such as M 3.1) and a data type (such as BOOL)
and can be designated with a symbol (such as BELT_ON).
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
137
Glossary
138
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
Index
FC-01, 14
FC-02, 14
FC-03, 14
FC-04, 14
FC-05, 14, 44
FC-06, 14, 44
FC-08, 95
A
Address Representation, 15
Assigning parameters to the CPU, 51
B
Broadcast, 67
C
Character delay time CDT, 38, 69
Configuration of data link, 34
Connection ID, 34, 65
Counters, 22
CRC, 68
D
Data blocks, 22
Data consistency, 64, 66
Diagnostics, 103, 117
Display elements (LEDs), 103
Dongle, 13, 17
E
Exception code, 69
I
Inputs, 22
Instance data block, 19, 53, 58
Interface modules
RS 232C, 11
TTY, 11
X27, 11
L
Load memory, 13
M
Memory bit, 22
Message frame structure, 67
Multipoint connection, 11
O
Operating mode, 37
Outputs, 22
F
Function block, 11, 19, 21, 54, 55, 108
Function code, 11, 22, 68
FC 01, 38
FC 03, 42
FC 04, 43
FC 05, 38
FC 06, 42
FC 15, 38
FC -15, 14
FC -15, 44
FC 16, 42
FC -16, 14
FC -16, 44
P
Parameter assignment, 31, 32
Parity, 36
R
Response time, 61
S
Slave Address, 37, 67
Startup characteristics, 50
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06
139
Index
Loading procedure, 51
SYSTAT, 103, 108
Event Classes, 109
Event number, 109
Transmission rate, 35
Transmission times, 121
T
Uninstalling, 28
U
Timers, 22
Transmission error, 37, 47
140
Loadable Driver for Point-to-Point CPs: MODBUS Protocol, RTU format, S7 is Slave
Operating Instructions, 09/2009, A5E00218418-06